Shellshock: A major vulnerability that could live up to its name
News broke this week of yet another vulnerability — meet Shellshock.
Shellshock uses Bash, the default shell for Linux and OS X, and injects code which could provide an attacker with the ability to execute arbitrary commands on any device running the code. Given that Bash is the default for OS X, this has created a major concern for Mac users.
However, even more concerning than the impact Shellshock can have on machines running Linux and OS X operating systems is the fact that Bash is also utilized to execute CGI script to display dynamic websites. Those CGI scripts are commonly executed on Apache, which is the most common kind of web server.
Apache is run on about 50% of web servers by default — a statistic some may remember from Heartbleed. And that figure does not take into account the machines that have Apache implemented as part of setup.
Effectively Shellshock is a code injection hack, which hackers thrive off of, because that creates access to the entire environment through one command line of code. While this is not as bad as an attack on root code, injecting malicious commands at the shell level creates a high-stakes level of exposure. This is compounded by the fact that the versions of Bash affected by Shellshock date back to version 4.3, which was issued nearly 25 years ago.
TrendMicro notes that:
Any organization or user that has Bash enabled on a server, desktop, or device is affected by this vulnerability. This includes the over 500 million web servers on the Internet today. As well, end users’ accessing the websites or services being run on affected servers are vulnerable to their personal and business information falling into the wrong hands.
According to software developer and Microsoft MVP Troy Hunt:
…the Heartbleed comparison isn’t fair – this is potentially far worse. Heartbleed allowed remote access to small amount of data in the memory of affected machines. Shellshock is enabling remote code injection of arbitrary commands pre-auth which is potentially far more dire.
While it seems that reports of new vulnerabilities make headlines with frightening regularity, Shellshock will be one to stay very close to as its implications are far reaching and the impact has yet to be fully felt.