The National Vulnerability Database reported yesterday that “GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.”
In laymen’s terms “With a bug as dangerous as the “shellshock” security vulnerability discovered yesterday, it takes less than 24 hours to go from proof-of-concept to pandemic.” According to Wired magazine, which went on to claim “multiple attacks were already taking advantage of that vulnerability, a long-standing but undiscovered bug in the Linux and Mac tool Bash that makes it possible for hackers to trick Web servers into running any commands that follow a carefully crafted series of characters in an HTTP request.”
As with all computer security vulnerabilities, the work done to completely eliminate all possibility of a hack by a seasoned expert will always be a high tech game of cat and mouse, but the real danger of something like Shellshock boils down to its speed and simplicity. This isn’t a bug that requires a team of data security savants to execute, it’s something that run of the mill internet trolls and novice security pests can put to use in minutes for the purpose of causing significant disruption or financial losses for online enterprises.
The Bash bug being exploited by Shellshock was discovered by noted security analyst Stéphane Chazelas and announced in an alert from the US Computer Emergency Readiness Team (CERT) but a fully functional automated solution has not been released yet. Red Hat recently warned that the patch initially released to deal with the vulnerability can be circumvented by an assailant using “specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions.”
For the time being, the best defense against this potential threat is constant vigilance and manual oversight by trained data security professionals. NationalNet will continue to keep our clients informed as to the progress being made by CERT, Red Hat and others while we take every possible precaution to reduce risk and maintain the free flow of data without the inhibitions or alternate goals of Shellshock distributors.