Shell Shock exploit "worse than Heartbleed"

A security vulnerability in the widely used Bash Unix shell has been named by some security experts as a more significant threat than Heartbleed.

The Shell Shock exploit potentially allows hackers to remotely inject and execute malicious code as soon as the shell is invoked, by slipping the code into the extra data attached to Bash shell commands.

Bash is the default shell for OS X and most Linux distributions, and it is used in numerous machines ranging from web servers, computers and mobile phones to IoT devices and appliances. Australian security consultant Nik Cubrilovic told Fairfax Media that Shell Shock has “likely the largest ever attack vector surface for any bug, ever”.

FireEye Director of Threat Research said the Shell Shock bug is “horrible. It’s worse than Heartbleed in that it affects servers that help manage huge volumes of internet traffic. Conservatively, the impact is anywhere from 20 to 50% of global servers supporting web pages. Specifically, this issue affects web servers using GNU BASH to process traffic from the internet [as well as] almost all CGI-based web servers.”

Errata Security consultant Robert Graham likewise wrote on his own blog that unlike Heartbleed, which only affected a specific version of OpenSSL, the Bash vulnerability has been around for a long time. “That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”

While Red Hat and Fedora have already released fixes for the bug, so many devices running older versions of Bash are potentially vulnerable - including those that are unpatchable - that plugging the hole could prove impossible.

Graham said there is little need for enterprises to rush and fix the bug. “Your primary servers are probably not vulnerable to this bug. However, everything else probably is. Scan your network for things like Telnet, FTP and old versions of Apache ... anything that responds is probably an old device needing a Bash patch. And, since most of them can’t be patched, you are likely screwed.”

ZDNet’s Steven J Vaughn-Nichols has likewise posted recommendations for securing applications running on Linux-based web servers. These include sanitising a web application’s inputs, disabling CGI scripts that call on the shell and considering switching away from Bash and using another shell.

“Of course, the real fix will be to replace the broken Bash with a new, secure one ... It’s extra work, but if I were a system administrator, I wouldn’t wait for my Unix or Linux distributor to deliver a ready-made patch into my hands. I’d compile the patched Bash code myself and put it in place,” he said.

The fixes themselves may not solve the issue - a statement on Red Hat’s Bugzilla page for the exploit states that it has “become aware that the patches shipped for this issue are incomplete. An attacker can provide specially crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions.” Red Hat has posted details of a workaround for this problem.

The Heartbleed bug - discovered earlier this year - drove security experts to a state of collective panic. It involved the discovery of a vulnerability in a version of the OpenSSL cryptographic library that potentially allowed attackers to steal information normally protected by SSL/TLS encryption.

But in May, the CSIRO warned that the new era of cyberattacks will use vulnerabilities that will dwarf the Heartbleed bug. A report from the organisation raised fears that hackers could capitalise on security exploits to shut down critical public infrastructure and steal large quantities of sensitive data. The scale of the Bash bug could potentially prove these warnings to be prophetic.

Image courtesy of Takuya Olkawa under CC