Shellshock vulnerability more dangerous than Heartbleed?

By Digital News Asia September 29, 2014

Attackers able to deface websites, steal confidential or sensitive data
Affects half-billion web servers and Internet-connected devices including phones

Shellshock vulnerability more dangerous than Heartbleed? THE cyber-security industry has been on alert over the weekend since the discovery Shellshock, a vulnerability that some are describing as more significant than the Heartbleed vulnerability in April that exposed 66% or more of the Internet to attack.

In an advisory posted on Sept 26, the Malaysia Computer Emergency Response Team (MyCERT) said the vulnerability may allow a remote attacker to execute arbitrary code on an affected system.

Attackers who have exploited this vulnerability and gained unauthorised access would be able to deface websites, steal confidential or sensitive data, and engage in malicious activities, MyCERT said.

Security software specialist Trend Micro Inc said Shellshock impacts approximately a half-billion web servers and other Internet-connected devices including mobile phones, routers and medical devices.

The Shellshock vulnerability allows an attacker to literally run any command on an affected system. This mean the attacker could modify the contents of the web server itself, change the website code, deface the website, steal user data from the databases, change permissions on the website, installing backdoors and much more, as long as the command is conceivable on a Bash shell.

Bash is an open source command shell commonly deployed on Linux, BSD, and Mac OS X operating systems.

Since Linux powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT), the reach of the vulnerability is extremely broad and the attacks could grow at a very fast rate, Trend Micro warned.

Noting that ‘Bash Bug’ or Shellshock is officially known as the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271), Symantec Corp said it regards this vulnerability as “critical.”

Although specific conditions need to be in place for the bug to be exploited, successful exploitation could enable remote code execution.

This could not only allow an attacker to steal data from a compromised computer, but enable the attacker to gain control over the computer and potentially provide them with access to other computers on the affected network, Symantec specialists said in a blog post.

Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network, Symantec said.

Accordingly, it is of critical importance to apply any available patches immediately, the company added, saying that Linux vendors have issued security advisories for the newly discovered vulnerability including patching information:

Debian—https://www.debian.org/security/2014/dsa-3032
Ubuntu—http://www.ubuntu.com/usn/usn-2362-1/
Red Hat—https://access.redhat.com/articles/1200223
CentOS—http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
Novell/SUSE— http://support.novell.com/security/cve/CVE-2014-6271.html

Meanwhile, Trend Micro said that just hours after the Shellshock news broke, it spotted malware known as ELF_BASHLITE.A that exploits the Shellshock vulnerability.

This malware is capable of launching distributed denial-of-service and conduct brute force login, enabling attackers to possibly get the list of login usernames and passwords from the affected web server, the company said.

Due to the widespread nature of the Shellshock vulnerability, Trend Micro urged organisations and members of the public to take the precautionary steps listed below:

End-user (consumer): Watch for patches and implement them immediately for your Mac, your Android phone, and other devices you may have.

IT admins: If you have Linux, disable Bash scripting immediately until a patch is available.

Website operator: If Bash is in the script, rescript away from Bash until a patch is available.

Hosting company customer: Ask your provider what they are vulnerable and what they are doing about it.

For more information, follow Trend Micro’s TrendLabs Security Intelligence Blog.

Meanwhile, the Symantec video below provides an explanation of the Bash Bug vulnerability and demonstrates how a likely attack scenario may work: