Why The Bash Shellshock Bug Could Be Even Worse Than Heartbleed

Why the Bash Shellshock Bug Could Be Even Worse Than Heartbleed

Shellshock is newly discovered vulnerability in software that's in computer systems we use everyday. It's kind of like Heartbleed, the Open/SSL bug that scared everyone senseless a few months ago and remains unpatched on thousands of systems. According to some experts, however, Shellshock could be way worse, and it's been around for decades.

Shellshock affects a piece of software called Bash. Bash is a "Unix Shell", a command line interface that allows a user to talk to a Unix based system. Originally written in 1980, Bash has evolved from a simple command line interface into one of the most widely used utilities out there. Even though you probably don't see Bash daily, there's a good chance that it's running in the background on your system. OS X and Linux both use Bash, and it has been ported over to everything from Windows to Android.

Discovered by a team from the open source software company Red Hat, the Shellshock bug allows attackers to inject their own code into Bash using specially crafted "environment variables" that have Bash functions in them. (Red Hat's servers were having problems, here's a cached version of their explainer.)

Without diving into all the technical nitty-gritty — some of which you can find here — what you need to know is that the bug leaves unpatched systems open to a variety of malicious and remote attacks. Bash is commonly used by web servers, so in theory it could be used to take over entire websites. Internet connected devices like web cams are similarly vulnerable. But worst of all, since there's a decent chance your computer is running Linux in the background, an attacker on your network could use the bug to extract personal information from your machine.

But the main reason people are comparing Shellshock to Heartbleed is that the distribution of the bug is unknowably vast. Bash is baked into so many systems and has been around for so long that in all likelihood, the bug will never be fully fixed. This is vulnerable software that has been spreading across the technological world for years and years.

Security researcher Robert Graham puts the concern pretty succinctly:

The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

In the short term the most obviously affected systems will be fixed. Others, unfortunately, will remain vulnerable, and as Troy Hunt points out in his lengthy technical explainer:

The bigger worry is the devices with no easy patching path, for example your router. Short of checking in with the manufacturer's website for updated firmware, this is going to be a really hard nut to crack. Often routers provided by ISPs are locked down so that consumers aren't randomly changing either config or firmware and there's not always a remote upgrade path they can trigger either. Combine that with the massive array of devices and ages that are out there and this could be particularly tricky. Of course it's also not the sort of thing your average consumer is going to be comfortable doing themselves either.

As for what you need to do. Watch out for important security updates to OS X, which are surely around the corner. And though you probably never update firmware on stuff like your router, it's not a bad idea to do that from now on. [Red Hat]

Picture: Michael Hession


Comments

    God I hope eBay don't reset my password again.. Took me weeks to get back into my account with their broken overloaded password reset tool last time.

    Why is this written like the reader is 9? I don't "talk to [my] unix based system"... I believe that is the definition of insanity.

      Also; "But worst of all, since there’s a decent chance your computer is running Linux in the background" - lol what?

    I'm not sure why this is been made out to be such a huge deal with servers as before you can even execute the attack you need either SSH access or a vulnerable script needs to exist on the server that allows shell execution which is like looking for a needle in a haystack.

    Heartbleed was the same, it was an attack that had to be carried out under specific circumstances but a patch was available before anything actually happened, to me it's just a bunch of hype to scare people who don't know much or anything about servers.

      I think the reason is because of the environment variable issue: there are a range of situations where data will be passed between things using an environment variable (CGI being the most rudimentary), and that allows shell commands to be executed.
      Heartbleed similarly wasn't just trivial: things like usernames and passwords showed up in that chunk of memory that could be dumped from the server (as was demonstrated by users on the ArsTechnica forums).

      Edit: I should point out that many home routers use CGI for their web interfaces, which probably makes them vulnerable to having shell commands executed on them. That's a bit of a problem.

      Last edited 26/09/14 11:31 am

        While that may be true it would only affect very insecure routers with weak password hashing or people who don't know about securing routers, knowing brands such as Linksys a patch will be out by the weeks end as all they need to do is bundle the updated bash executable and you're set.

          Actually, having read more about it, Busybox isn't affected so that will cover most routers (which is fortunate, actually, because manufacturers are ofter pretty crap at releasing updates).

          Last edited 26/09/14 7:36 pm

Join the discussion!

Trending Stories Right Now