Shellshock: Internet in Peril Again as ‘Heartbleed 2.0’ Bash Flaw Strikes

Security experts are urging Linux and UNIX admins to drop everything and patch a critical software vulnerability found in the extensively used Bash (the Bourne Again SHell) which could be “worse” than the now infamous Heartbleed flaw.

Bash is a commonly used shell for evaluating and executing commands from other programs.

As such, a large number of programs on Linux and UNIX systems use it, putting Apache web servers running CGI scripts in particular at risk, according to Jim Reavis of the Cloud Security Alliance.

The vulnerability itself, first discovered by Akamai researcher Stephane Chazelas last week, has a maximum severity rating of 10/10 from NIST, which had the following explanation:

“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.”

The vulnerability does not require authentication to exploit and “allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service,” NIST said.

Darien Kindlund, director of threat research at FireEye, branded the flaw "worse" than Heartbleed in terms of affecting servers that “help manage huge volumes o internet traffic.”

“Conservatively, the impact is anywhere from 20-50% of global servers supporting web pages,” he added. “Specifically, this issue affects web servers using GNU BASH to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet.”

However, Rapid7 cautioned that although the bug enables hackers to steal sensitive information and take over devices remotely, it may not be as bad as it first appears because most systems that use Bash will not be remotely exploitable.

“From what we can tell, the vulnerability is most likely to affect a lot of systems, but it isn't clear which ones, or how difficult those systems will be to patch. The vulnerability is also incredibly easy to exploit. Put that together and you are looking at a lot of confusion and the potential for large-scale attacks,” it added.

“BUT – and that’s a big but – there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild.”

The security community will know more after extensive testing, although worryingly Rapid7 has already reported a DDoS bot spotted in the wild exploiting the issue.

What’s hot on Infosecurity Magazine?