Jump to content

Shellshock virus: Panic at 'worst ever computer bug'


xper

Recommended Posts

A computer bug which could allow hackers to take control of hundreds of millions of devices all over the world has been discovered, forcing governments to take immediate steps to protect their critical infrastructure.

 

The security flaw, dubbed “Shellshock”, was found inside a piece of software called Bash, which is used by Apple’s Mac operating system as well as Linux systems and internet servers relied upon by governments, banks and the military.

 

Last night, cyber-security experts suggested that people should stop using their credit cards for online purchases until a solution to the bug, which has existed for more than 20 years, is found and distributed.

 

The UK’s national cyber-security response team, Cert-UK, has issued an alert to all government departments stating that the Shellshock flaw carried the “highest possible threat ratings… for both impact and exploitability”. The US National Cyber Security Division gave it a score of 10 out of 10 for severity and a complexity rating of low – meaning it is easy for hackers to exploit.

 

Cert-UK added that it should be “assumed” that many government computers and other devices would be vulnerable to the bug, adding: “This will inevitably include organisations that are part of the critical national infrastructure.” Many industrial control systems, from power plants to traffic light systems, rely on Bash software to function.

 

http://www.independent.co.uk/life-style/gadgets-and-tech/news/shellshock-virus-panic-at-worst-ever-computer-bug-sees-governments-race-to-protect-critical-infrastructure-9756819.html

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

 

Link to comment
Share on other sites


We are also looking at consumer products being vulnerable to this including routers and potentially consoles like Playstation or Ouya.

And light bulbs. :w00t:

Same mentioned article (go to the original to get the other links):

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

 

Are our “things” affected? 

This is where it gets interesting – we have a lot of “things” potentially running Bash. Of course when I use this term I’m referring to the “Internet of Things” (IoT) which is the increasing prevalence of whacking an IP address and a wireless adaptor into everything from our cutlery to our door locks to our light globes.

Many IoT devices run embedded Linux distributions with Bash. These very same devices have already been shown to demonstrate serious security vulnerabilities in other areas, for example LIFX light globes just a couple of months ago were found to be leaking wifi credentials. Whilst not a Bash vulnerability like Shellshock, it shows us that by connecting our things we’re entering a whole new world of vulnerabilities in places that were never at risk before.

This brings with it many new challenges; for example, who is actively thinking they should regularly patch their light bulbs? Also consider the longevity of the devices this software is appearing in and whether they’re actually actively maintained. In a case like the vulnerable Trendnet cameras from a couple of years ago, there are undoubtedly a huge number of them still sitting on the web because in terms of patching, they’re pretty much a “set and forget” proposition. In fact in that case there’s an entire Twitter account dedicated to broadcasting the images it has captured of unsuspecting owners of vulnerable versions. It’s a big problem with no easy fixes and its going to stick with us for a very long time.

But Bash shells are also present in many more common devices, for example our home routers which are generally internet-facing. Remember when you last patched the firmware on your router? Ok, if you’re reading this then maybe you’re the type of technical person who actually does patch their router, but put yourself in the shoes of Average Joe Consumer and ask yourself that again. Exactly.

 

This is specific to LFIX light bulbs AND it is about another vulnerability, but the point made remains (potentially) valid:

http://www.smh.com.au/digital-life/consumer-security/security-vulnerability-found-in-lifx-smart-light-bulbs-exposes-home-wifi-passwords-20140709-zt12p.html

jaclaz

Link to comment
Share on other sites

So much for linux machines and Macs being safer and virus-proof...

Well, to be fair, there is as always a bit of hype :yes:.

 

The MAC's seemingly have NOT BASH enabled by default (and it is rare to find MACs hosting an http server with CGI and/or PHP).

 

The "corporate" Linux servers, on the other hand, tend to have other means/layers of protection, and at least judging from the effects of the test scanning a nice chap did:

http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html

they are pretty much "safe".

 

Detectify has put a simple online test:

https://shellshock.detectify.com/

 

What are really "at risk" are IMHO more the less/badly maintained (or "fake" Open Source) little Linux devices (where the vulnerability may be present BUT NOT most of them as seemingly busybox is not affected) :

https://www.nccgroup.com/en/blog/2014/09/shellshock-bash-vulnerability/

 

but more than that "home made" servers put together by the "half technical" good guys (technical enough to put together such a system, but not enough to secure it effectively) and devices that use a "more sophisticated" environment than busybox.

 

In any case, the vulnerability is a rather serious one in theory, but in practice the actual effects (if any) seem like being much more limited than what initially hypothesized as, besides the BASH vulnerability it seems like there must be a number of concurrent factors to make the exploit actually have some impact. :unsure:

https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271

 

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...