A Sudden concern with Shellshock


Unfortunately September has brought with it another far reaching computer exploit. Remember Heartbleed, the OpenSSL exploit from earlier this year? Heartbleed was one of the furthest reaching exploits/virus/trojan/etc. we’ve ever seen on the internet; Shellshock is shaping up to be even scarier.  Here at Sudden Technologies, we’re taking swift action to make sure our customers are protected against this exploit.

With Shellshock having been only in the wild since Tuesday September 24th, there are already countless security specialists and tech reporters posting stories regarding the exploit.

We’ve found that most of these posts are extremely technical and probably pretty difficult for most people to understand, so we at Sudden want to try to help our readers and customers out with a simplified explanation of both the exploit as well as how you can protect yourself. Troy Hunt has a comprehensive technical breakdown of the issue if you want to read more.

So what is it?

Firstly, and briefly what is Bash? For those not overly versed in Linux/Unix Bash is one of many possible shells which can execute commands against the Linux kernel (think Windows command prompt versus Windows Powershell). As a command line user interface, the shells are ultimately a scripting interface as well. This is where the problem comes in to play.

Secondly what is Shellshock? Shellshock is an exploit that allows for remote code execution, meaning an attacker can send commands to a vulnerable server and they will execute on that server. Remote code execution is a common way for hackers to attempt to gain control over websites/servers/databases/etc. The example detailed on TroyHunt.com shows code like this:

http-header = Host:() { :; }; ping -c 3 209.126.230.74

Simply put, what is being done in the above line of code is the attacker is using an http request to make the server do something other than return a webpage (in this example ping another computer). So rather than sending an http request to a web server and it sending you back a picture, some text or a video, the attacker instead can make the server do their bidding.

Why is it bad?

There are 2 main reasons this exploit is so bad. The scale of the exploit and the control that is gained when an attacker makes use of the exploit.

While Windows may still dominate the desktop computer market, Linux is still the dominant force on the internet with the Open Source Apache Web Server running over 50% of the webservers on the internet. The scale of this exploit is potentially as vast as that of Heartbleed.

The level of control and access an attacker can get on compromised systems makes matters potentially much worse than Heartbleed. The level of control gained can be equated on the Windows side of things to giving a hacker control of your mouse and keyboard.

They can do destructive things like:

  • Delete files
  • Shut down servers
  • Attack other servers which may be only accessible from the compromised web server

Or they can steal all kinds of data by having the server backup flies, databases, etc. to a public file share. For instance:

  • Corporate data
  • Usernames and Passwords
  • Customer Financial data

So, what is Sudden doing about it?

Since the news regarding Shellshock broke, we at Sudden have been working with our customers and partners to reduce customer risk.

Working with customers, we have taken steps to isolate affected systems to prevent them from being compromised while countermeasures are developed.

We have worked closely with our security partner Fortinet to develop IPS signatures which can block the exploit from reaching affected systems. As of the writing of this post, Fortinet has released an IPS signature update to protect customers’ systems.

https://blog.fortinet.com/post/shellshock-faq

As patches are released by vendors we will ensure customer systems which have been affected will be patched against Shellshock immediately.

How do I know if this affects me and how do I protect against it?

As you may already have read, there is a simple way to check if your Linux based system is affected by the exploit. Simply login to your Linux terminal and run a command similar to this:

env X="() { :;} ; echo Hackable" bash -c "echo Server"

If your server has already been patched and is not vulnerable, you will see:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
Server

 

But if you are at risk, you’ll see this:

 

   Hackable

    Server

 

Deploy IPS, Patch your servers, Run and hide

If you have the ability, e.g. if you are a Fortinet customer with a Fortigate firewall protecting your servers, ensure you update your IPS signatures, right away. If you’re not a Fortinet customer, check with your security/firewall provider.

The commonly used distros of Linux are working quickly to get updated versions of Bash out to customers. Here are some links and the commands needed to update some of the most common distros:

o    yum update bash-4.1.2-15.el6_5.1
o    sudo apt-get update && sudo apt-get install --only-upgrade bash
o    yum-yupdate bash

Many of the more niche distros of Linux and devices like embedded appliances will take longer to patch, in the meantime, run and hide. Do everything you can to isolate access to these systems from the internet. Ideally make them totally unavailable from the internet; if your business can’t suffer such an outage and is willing to risk breaches like Target or Home Depot, limiting access to only allow trusted parties to access them might be an interim solution.

 

Leave a Comment


You must be logged in to post a comment.

WordPress Appliance - Powered by TurnKey Linux