With the memory of the Heartbleed bug still lingering in the minds of many denizens of the internet, there’s a bigger, badder bug in town. And it’s pretty serious.
Dubbed CVE-2014-6271, also known as ‘Shell Shock’, the newly discovered vulnerability resides in widely used piece of Linux software -- known as “Bash” -- which is the software used to control the command prompt on many Unix computers.
However, as Huzaifa Sidhpurwala, a security engineer at Red Hat points out, since its creation in 1980 Bash has evolved from a simple terminal based command interpreter to something far more integral to the internet.
Big trouble for Unix, Linux and IoT?
But Shell Shock is a big problem for many Unix or Linux web servers. It also affects Mac OS X and with a little bit of Linux embedded in every Smart TV, internet-connected field sensor and thermostat it’s easy to see where some of the usual ‘end of the internet’ hyperbole stems from.
As Errata Security's Robert David Graham exclaims in a post, Internet of Things (IoT) devices like video cameras are especially vulnerable. According to Graham, a lot of their software is built from web-enabled bash scripts.
“Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world,” Graham said.
The good news is that many newer devices run a set of tools called BusyBox which offers an alternative to Bash. These devices are not vulnerable to the bug, however, there's going to be a lot of devices out there that aren't running on BusyBox and may never get patched.
According to the team at Symantec, other vulnerable devices include Linux-based routers that have a web interface that uses CGI (Common Gateway Interface), which is a standard method used to generate dynamic content on webpages.
Computers running Mac OS X are also under threat until Apple releases its patch, and Symantec's researchers say the most likely avenue of attack would be through Secure Shell (SSH), a secure communications protocol.
"However, it appears that the attacker would need to have valid SSH credentials to perform the attack. In other words, they would already have to be logged in to an SSH session," Symantec said in its advisory.
The immediate focus will be on patching web servers that manage massive volumes of internet traffic on a daily basis, and with almost 70 per cent of active web servers today running Apache, the bug in Bash is guaranteed to give system administrators across the globe sleepless nights.
But what exactly does Bash do that makes it so important and this bug so dangerous?
Firstly, the sheer scale of how widely Bash is used makes comparison with Heartbleeed appropriate. And while Heartbleed was about siphoning little bits of data and stealing security keys, ‘Shell Shock’ can be exploited by hackers to gain access to webservers.
In lay terms, Bash is essentially a shell (an interface used for access to an operating system’s services) that’s switched on every time a command is issued to an operating system. Bash evaluates and executes every one of these commands, making it integral to how almost all of the software used today interacts with a computer/server.
The bug in Bash undermines the entire interaction, essentially allowing hackers to attach malicious code with the good code and gain access to a system. Once the Bash shell is switched on the bug allows the attacker's code to be executed and leaving the system open to further attacks.
The bug has been around for 22 years and Cloud Security Alliance’s Jim Reavis said in a post that the vulnerability allows hackers to potentially take control of machines remotely.
“A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs. Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file,” Reavis said.
“In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.”
Australia’s computer emergency response team, CERT Australia, has issued a warning highlighting the vulnerability and recommended organisations to immediately contact their vendor(s) for an appropriate patch.
“The GNU Bash shell contains a critical vulnerability that allows remote code execution by an unauthenticated user. Many Unix-based operating systems are affected, including Linux and Mac OS X. Other systems that include Bash, such as embedded systems, may also be affected,” CERT said.
“CERT Australia recommends that organisations refer to their vendor(s) for an appropriate patch.”
Meanwhile, the federal government's Stay Smart Online alert service has also posted a lengthy advisory for organisations and consumers, urging them to take the threat seriously and apply necessary patches and updates.
Unfortunately, IT security vendor Bitdefender's senior e-threat analyst Bogdan Botezatu suggests that while most operating system vendors have issues patches it may only be a stop-gap measure.
Botezatu says that the patches released are not a complete fix but rather "a barrier to buy vendors more time to find a universal solution."
A gift that will keep on giving for hackers
The Bash bug is another nasty surprise for system administrators, and with countless websites, servers and connected devices in danger, the hard work is just beginning.
Revelations of this sort almost immediately set a legion of hackers into action, with malicious code flying in from every direction to find a way into unpatched systems.
According to Ty Miller, managing director of Sydney-based infosec firm Threat Intelligence, the Bash bug is lot harder to exploit than Haertbleed but the damage that can be wreaked is potentially much higher.
He adds that the Bash bug is a gift that’s perhaps going to keep delivering for hackers for some time to come.
“Heartbleed has led to a lot of attempts (by hackers) to break into a system and this bug will do the same, but probably to a lesser extent given the complexity," Miller says.
One intriguing thing, highlighted by Miller, is how long it has taken for the vulnerability to be found.
"I am surprised no one found this earlier given that the structure of the exploit is very similar to standard operating system command injections," he says.
Given the length and breadth of the internet covered by the bug, Miller adds that simply applying the requisite patches will take a significant amount of time to apply and while Heartbleed was relatively easy to detect the Bash bug is more complex and there's a chance that some vulnerable devices will be missed.
The other question worth considering is just how long state-sponsored players and security agencies have been aware of the Bash bug.
"The NSA knew about Heartbleed long before it was publicly revealed, so you have to wonder how long they might have known about this bug," Miller says.
It’s a sobering thought but the internet has so far survived Heartbleed, it will probably survive ‘Shell Shock’ and things will go back to normal; that is until the next bug rears its head.