What is the Bash bug?
The Shellshock vulnerability, or simply called the Bash bug, is a security flaw that is poised to threaten over half a billion servers as well as devices across the globe. Perhaps even wider in scope compared to the more recent Heartbleed bug, shellshock can attack commonly used open source program called the Bash. Bash, Bourne-Again SHell, is found in almost every version of Linux and Unix operating systems and also in Mac OSX. The program allows users to type and execute commands even from a remote location. This vulnerability could allow hackers to remotely execute commands sans authentication thereby enabling them to access secure confidential information as well as set a stage for staging future attacks.
What is affected?
Given the severity of the vulnerability in Bash, it is very much probable that severer and bigger attacks on servers can occur in the coming days without a proper fix to the vulnerability. Several devices across the world are the possible targets which include servers, endpoints, Internet of Things and embedded devices among others.
Web servers are currently the most vulnerable applications that stand to be exploited by the Shellshock bug. The damage done to enterprises can be profound in the scenario of web servers being attacked. A compromised server could serve as a potential entry point for an attacker to run an unauthorized set of commands to access critical confidential enterprise data. Using shellshock with some other form of escalation vulnerability can result in completely compromising an affected server. Akin to web servers, SSH is also prone to attack by the Shellshock bug. To sum it up, virtually any server running on the Linux or Unix OS and using Bash are at risk of being attacked by the bash bug.
Few of the embedded devices that form the Internet of Things are usually built using embedded versions of Linux thereby standing a risk to be compromised. These devices using Bash can be compromised and the information on these devices can be stolen or even worse, the devices themselves can be used to orchestrate malicious activities by becoming a unit of a botnet. However, several of these devices are built using BusyBox that doesn’t use Bash thereby shielding themselves from the Shellshock bug.
End users are less prone to attack by Shellshock given the fact that majority of them run on Windows OS that doesn’t use Bash. Currently, about 10% of PC users use Mac OS X or Linux and these systems too are difficult to be exploited as they don’t have running services such as HTTP through which an attacker can easily exploit the PC. However, attacks over endpoints can be possible by employing a rogue DHCP server running on potentially affected hotspots and routers. As far as the mobile devices are concerned, Android, the dominant OS doesn’t use Bash and hence is shielded from the threat. Even iOS devices don’t use bash and are spared from the threat of being attacked.
How to protect yourself from the threat
As of date, a patch that addresses the vulnerability on the most affected distributions is available and ongoing work in this direction would bring about a more comprehensive and efficient solution to address the issue. End users running Linux systems need to deploy Bash patches. Enterprises running APACHE/LINUX web servers can consider retooling scripts to use options other than Bash until a patch is made available. Another important step in protecting the servers is the deployment of an IPS in front of any vulnerable servers and ensuring that IPS effectively blocks exploits for CVE-2014-7169. Monitoring the latest updates and applying the relevant patches as and when they are released may help in keeping the enterprise servers secure.