On Wednesday September 24th, a critical vulnerability (
) that could potentially allow remote or local attackers to perform arbitrary unauthorized actions on affected systems was publicly disclosed. Unfortunately, the first released patch for the issue was incomplete, resulting in another vulnerability (
). As of September 25th, patches have been released by major Linux distribution vendors for both issues.
At Bitium, we treat potential security risks very seriously. While our analysis has indicated there was no immediate threat to our systems, we have taken steps to address both issues.
The issue (dubbed “Shellshock”) lies within the Bourne Again Shell (BASH) and has existed in that software since the early 1990s. Any system with a UNIX based operating system (e.g., Linux, BSD, Mac OS X) is potentially vulnerable and that list includes any device (e.g., printer, router, SAN, camera) using a derivative of those systems. Factoring in the growing “Internet of Things” movement, the footprint for this issue is potentially massive.
As the vulnerability can be exploited easily across a network, and attackers need only send a minimal amount of specially crafted traffic to a system or device with a vulnerable service (e.g., web server, SSH, telnet, DHCP, DNS), “Shellshock” has the potential to become one of the most widespread and lingering vulnerabilities to date. The affected software has become so prevalent for so long that there are old systems and devices no longer supported by vendors that will never see a patch. Others that could be patched will go unnoticed until it is too late.
It is highly recommended that you patch all of your systems immediately. Always follow accepted industry patch procedures, and test before deployment.
- US-CERT Announcement
- RedHat CVE-2014-6271, CVE-2014-7169
- Ubuntu CVS-2014-6271, CVE-2014-7169
- Amazon AWS
- Cisco Security Advisory
- NVD CVE-2014-6271
- NVD CVE-2104-7169
Well, we’re on day five of Shellshock, and unsurprisingly the vulnerability count in BASH has increased. The current count is six, and while each has its own unique characteristics, they all have the same nasty outcome if exploited. While not having any meaningful impact at Bitium, we are keeping a close watch on events.
A summary of the current publicly known vulnerabilities (as of 9/29):
- CVE-2014-6271 9/24, patches available “fixed” 9/25 the original issue
- CVE-2014-7169 9/25, patches available fixed 9/26 - the sequel
- CVE-2014-7186 9/25, source fixed - out of bounds array access
- CVE-2014-7187 9/25, source fixed - word_lineno
- CVE-2014-6277 9/25, source fixed 9/27 - CVE reserved, no information available
- CVE-2014-6278 9/25, source fixed 9/27- CVE reserved, no information available
The attacks being seen in the wild are focusing on exploitation through CGI or DHCP, but over time as the low hanging fruit is picked off, other methods will be tried.
Patch availability is spotty, so you find yourself asking what patch, from where, and when. The major Linux distributions are playing catch-up, and while you can compile BASH from source code for yourself today, you might find yourself breaking something and repeating the process all over again tomorrow.
Unfortunately, the reality is that with software that has had a critical vulnerability buried inside it since the early '90s, chances are six will not be final tally. All of this uncertainty might give you pause when deciding whether to patch, but ask yourself this question; what is your risk tolerance when it comes to compromises?
At Bitium we are highly risk averse, so our policy is to immediately fix or mitigate anything exploitable, and then methodically address anything potentially vulnerable. This helps to keep your data safe and allows us to sleep better.