Just six months after the disclosure of Heartbleed, a security bug in OpenSSL’s TLS heartbeat extension that allows hackers to essentially ping a server or client for information stored in the system’s memory, another major security bug is making the rounds, this one much worse.
Shellshock (also known as “Bashdoor”), is a security exploit within the Unix Bash shell. It allows a hacker to cause a vulnerable version of Bash to execute arbitrary commands. At best, a hacker will spam your device with “Hello World” text. At worst, the exploit could give a hacker complete control of your system.
The most troubling part about Shellshock isn’t even the risks it presents moving forward, but the fact that the exploit apparently has existed since Bash v1.03, which was released in 1989. Discovery of the exploit has led to the realization that numerous other exploits exist related to the initial exploit – some five others at least.
Unlike Heartbleed, which could affect anything running OpenSSL, Shellshock targets Unix-based systems. What does this mean? Essentially, any operating system running a variant on Unix and a vulnerable version of Bash is potentially vulnerable, including Mac OS X and Linux operating systems (+1 for Windows!).
The thing to understand most about both Shellshock and Heartbleed is that they are not confined to just web servers. Any internet connected device is vulnerable to these exploits. All a hacker needs is access to your device and the know-how to check for and utilize the exploits. It is true that web servers are the easiest targets, because their very existence is to be a constantly internet-connected device. That being said, if your system is connected to the internet, it’s at risk to one exploit or another.
At the time of disclosure, Heartbleed affected nearly half a million systems. The upside to Heartbleed was that a hacker couldn’t target the information they received from the exploit. They were returned information stored in the system’s memory. If nothing useful was in memory at the time the exploit was used, then the hacker got useless garbage.
Today, almost a month after Shellshock was disclosed, the facts and figures are still coming in about who, what and how exactly everything is affected. For every patch that has been generated, another exploit has been found and another patch put into development. As of the writing of this article, Apple has yet to issue a complete patch for Shellshock. It could be that this turns out to be like Heartbleed, where many systems remain unpatched and six months later we are still looking into the fallout.
What can I do to protect myself?
Regardless of whether your system is affected by Shellshock, or Heartbleed, or any other known (or unknown) exploit, you should always keep your system up-to-date. That doesn’t mean just installing operating system updates. Keep your applications and extensions up-to-date as well. Many people like to put off updates, usually because they require a system reboot, but running updates ensures that your system, applications and extensions are up-to-date not only with the newest features, but the newest security fixes as well.
In regards to Shellshock specifically, an article at Ars Technica provides clear instructions on how to check if your system is vulnerable to the exploit. Whether you are vulnerable or not, it would be a good idea to update bash anyway, especially if an earlier patch fixed the exploit but left your system vulnerable to newly discovered exploits.
If you need assistance or have any questions on how Altura can help protect your systems, please contact us at 1-800-654-0715 or visit us at www.alturacs.com.
If you currently are running any Avaya, Aruba, or Polycom products, it’s absolutely critical you check out this article here.