In what seems like the most impactful security vulnerability since the OpenSSL Heartbleed affair, a new Internet-wide bug emerged this week in the Bourne again shell (Bash). While its true severity remains unknown, the Bash vulnerability (also known as “shell shock”) is being talked about everywhere, and you may have even seen your local news anchors discussing the story in front of a green-screen covered in fast-scrolling computer code on last night’s evening news.
What is Bash?
Bash is a sort of scripting language and command-line shell program developed by the GNU Project in 1989. It lets users and machines enter commands which it then executes on the system level. It essentially issues and interprets commands. If you’d like to learn more, then head over to the GNU Bash page.
Bash is present in the majority of Unix systems and Linux distributions and also in Apple’s OS X operating system, which borrows many elements from both Unix and Linux. Beyond that, Bash is present in a very large number of Web-servers and in-home appliances including, but not limited to, routers and modems as well as any number of network attached devices and other Internet facing systems.
The Bash bug was discovered by Stephane Chazelas, a Unix and Linux network and telecom administrator at the security firm, Akamai. As you can imagine, this vulnerability has been around for some time, perhaps more than 20 years. Like Heartbleed, we can only hope that Chazelas was the first person to find the bug, but we’ll probably never know for certain.
How does the Bash vulnerability affect me?
It did not take long for in-the-wild exploits targeting the Bash vulnerability to show up. These exploits would allow an attacker to remotely attach a malicious executable file to pieces of code or script that are executed or interpreted when Bash is called upon. In other words, after delivering a successful exploit, an attacker could gain complete control of affected systems.
When asked if the Bash bug was “the new Heartbleed,” our friends on Kaspersky Lab’s Global Research and Analysis Team (GReAT) said:
“Well, it’s much easier for a cybercriminal to exploit than Heartbleed. Also, in the case of Heartbleed, a cybercriminal could only steal data from memory, hoping to find something interesting. By contrast, the bash vulnerability makes full system control much more possible. So it would seem to be more dangerous.”
The Kaspersky researchers also speculated about a scenario in which the Bash bug could be used to steal banking information and eventually money. It is certainly possible for an attacker to exploit Bash and steal your credentials through your personal computer, but it would require that person to find some exploit vector to access the Bash command interface. This would be no easy feat. More realistically, an attacker would look to target a server used by your favorite banking site and attempt to target a number of accounts and their information at once.
This warning from the United States Computer Emergency Readiness Team perhaps best sums up the criticality:
“This vulnerability is classified by industry standards as ‘High’ impact with CVSS Impact Subscore 10 and ‘Low’ on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.”
The fact that the Bash bug is highly impactful and easy to exploit is another difference from Heartbleed, which was highly impactful but difficult to exploit.
What is the #Bash vulnerability and how does it impact you?Tweet
How can I protect myself?
The only thing you can do to protect yourself, other than exiting the Internet forever, is to make sure you install the appropriate vendor-specific updates as soon as they become available. As for operating systems running on desktops or laptops, you will have to wait for the people that manage your particular distribution to issue a patch.
As for routers and modems and other home appliances, there will be no one-size-fits-all solution. The most likely scenario is that the makers of all these devices will roll out firmware updates in their own way on their own schedule. These updates, in most cases, will not install themselves like a traditional operating system update.
Problematically, as Kaspersky Lab’s GreAT researchers explained today, Bash is so versatile and used in so many different instances, that patches will inevitably be short-sighted. Fixing the Bash vulnerability, therefore, is likely to be a long, drawn-out process of trial and error, which is exactly why a number of researchers and industry media outlets are characterizing the first round of Bash patches as “incomplete.”
Another problem that I’d like to reiterate is that *nix systems are everywhere, and because of that reality, Bash is everywhere too. There will undoubtedly be machines that run Bash that are not capable of being updated. There will also be machines on which Bash runs but no one realizes it.
As Robert Graham of ErrataSec wrote on his blog, which you would do well to read, “The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.” To put that in context, Graham claims that hundreds of thousands of sites remain vulnerable to OpenSSL Heartbleed months after patches became available.