Advertisement

First evidence of Shellshock spotted ‘in the wild’

Shellshock bug is Heartbleed’s meaner, older brother

Shellshock_a
Meet “Shellshock,” the latest computer vulnerability to unleash a torrent of chaos across worldwide computer systems. It’s a security vulnerability that experts describe as being just as dangerous, if not more so, than the Heartbleed bug. 

Shellshock – shorthand for GNU Borne Again Shell – is a bug in the Bash command-line interpreter that’s used to run programs by typing in text like the MSDOS days of yore. The bug was initially discovered by Akamai security research Stephane Chazelas who noted that the Linux and Mac OS X machines running all versions of Bash, including version 4.3, are most at risk. 

According to the U.S. National Vulnerability Database (NVD), the Homeland Security subsidiary responsible for cataloguing security issues, the bug’s impact and exploitability are rated as 10/10. Hackers need only execute a three line script to compromise a system; no login credentials necessary. Once a system is accessed, an entrepreneurial hacker could potentially create a worm, or self-replicating malware, that spreads across the network to other computers to steal information or form a botnet at the control of the hacker. 

Security researched “Yinette” alerted the public on September 25 that the first exploit “in the wild” has already been documented as “CVE-2014-6271.” Then, a short time later, security researcher Robert Graham reported that his quick scan revealed 3000 systems vulnerable to the bug. Graham writes: “Consequently, even though my light scan found only 3,000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would ‘game over’ for large networks.”

Unlike the Heartbleed bug which affected only a specific version of OpenSSL, the Bash bug is much, much older; meaning, a significantly larger number of systems may be affected. Graham points out that while large web servers may be patched in a short time frame, smaller devices such as an IoT camera can take months; “Hundreds of thousands of systems remain vulnerable,” he says. 

Fortunately, Shellshock is already being patched. The best thing the average user can do is update the Bash version on their OS while keeping an eye out to see that their cloud provider has done the same. 

The current situation can summarized as a race between the companies working to patch the bug, and the malicious hacker groups seeking to infect as many systems as possible before the mode of access is eliminated. However, given the simplicity of the bug, it’s uncertain for how long the bug has been getting exploited.

Via ZDNET

Advertisement



Learn more about Electronic Products Magazine

Leave a Reply