Is Shellshock, aka Bash Bug, a threat to your systems’ security?

Once again, we’re hearing about another vulnerability in popular operating systems affecting websites and servers. We’ve been getting a lot of questions from our customers wondering what this bug is and whether our products and solutions are impacted by the Bash Bug. So, let me first give you some background on the issue.

 

Who is impacted by Bash Bug?

Shellshock is a new vulnerability that potentially affects most versions of the Linux and UNIX operating systems, as well as Mac OS X. Known as the “Bash Bug” or “Shellshock,” the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271/CVE-2014-7169) could allow an attacker to gain control over a targeted computer if exploited successfully.

The vulnerability affects Bash, a common component known as a shell that appears in many versions of Linux and UNIX. Bash acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.

While the vulnerability potentially affects any computer running Bash, it can only be exploited by a remote attacker in certain circumstances. For a successful attack to occur an attacker needs to force an application to send a malicious environment variable to Bash.

The most likely route of attack is through Web servers using Common Gateway Interface (CGI). CGI is widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked on to it.

 

Has anyone exploited this vulnerability yet?

The attacks began almost immediately after the vulnerability was announced. A number of security companies are now reporting attacks based on Shellshock are ongoing. Several companies have seen DDOS botnets trying to use this vulnerability in their attacks. That traffic is expected to increase.

Proof-of-concept scripts have already been developed by security researchers, and a module has been created for the Metasploit Framework which is used for penetration testing.

 

Are Alcatel-Lucent Enterprises’ products affected by the Bash Bug?

Bash is used in a number of our products so we have security advisories available for our customers through our Business Partners and online through Customer Support.

 

What do you advise to sustain IT operations?

Immediate actions include:

  • Read your vendors’ advisories
  • Audit your running systems
  • Apply your vendors’ advisements and patches to your affected systems

Take this opportunity to review your security policy to apply stronger measures such as:

  • Separating your management network from operational networks by virtualization
  • Applying Access Control Lists (ACLs) to vulnerable systems
  • Double checking to be sure your anti-virus systems are up to date

For Alcatel-Lucent Enterprise Business Partners, our security advisories are available on the Enterprise Business Portal under customer support/technical support/security advisories.

Customers that deploy our products can contact their Alcatel-Lucent Enterprise sales representative or Business Partner’s sales representative for more information.

 

I hope that I have addressed your concerns about potential ShellShock attacks on your IT operations. 

About the author