Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Bash ‘Shellshock’ Vulnerability Under Attack

Beating back the recently disclosed GNU Bourne Again Shell (Bash) vulnerability may not be as easy as some hoped.

Beating back the recently disclosed GNU Bourne Again Shell (Bash) vulnerability may not be as easy as some hoped.

There have been reports of limited, targeted attacks hitting the vulnerability, which was revealed publicly yesterday and has been dubbed ‘Shellshock’. Patches that were issued by Red Hat are incomplete, and some in the security community believe this bug could be worse than Heartbleed.

“Already, a number of attack vectors for the vulnerability [have] been discovered, and everything that uses the Bash shell contains the vulnerability,” said Kasper Lindgaard, head of research at Secunia. “The question for each product is, if there is a valid attack vector?”

The vulnerability – which impacts Bash versions 1.14 through 4.3 – affects Linux, UNIX and Mac OS X systems. The vulnerability allows an attacker to add malicious code to the environment variable, which will run once the variable is received. According to Symantec, the vulnerability can only be exploited by a remote attacker under certain circumstances. For a successful attack to occur, the attacker must force an application to send a malicious environment variable to bash.

Advertisement. Scroll to continue reading.

“The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content,” Symantec’s Security Response Team noted. “An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.”

Red Hat said the company is aware that the patch for the vulnerability, CVE-2014-6271, is incomplete, but that customers should apply it anyway.

“An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions,” the company noted in an updated blog post today. “The new issue has been assigned CVE-2014-7169. We are working on patches in conjunction with the upstream developers as a critical priority.”

“For details on a workaround, please see the knowledgebase article,” the update continued. “Red Hat advises customers to upgrade to the version of bash which contains the fix for CVE-2014-6271 and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on.”

So far, the attacks seen in the wild are exploiting the CVE-2014-6271 vulnerability, and applying the latest system update will resolve this issue on most platforms, said HD Moore, chief research officer at Rapid7.

“The patch itself is insufficient to completely fix the issue, but is enough to stop the attacks that we are seeing in the wild,” he said. “Once an update becomes available to resolve CVE-2014-7169, this too should be rolled in earnest across the organization.”

Waylon Grange, senior malware researcher at Blue Coat Systems, said attackers began targeting the vulnerability within four-and-a-half hours of it being publicly announced.

“Blue Coat is already seeing DDoS botnets trying to utilize this vulnerability in their attacks and we expect that traffic to only continue to increase,” he said. “Shellshock has the potential to be the next Heartbleed and cause extensive problems worldwide. However, it is still early in the game and organizations need to be vigilant and make sure they take steps to protect themselves.”

A number of IDS solutions have released signatures to detect exploitation of these issues over non-encrypted HTTP traffic, Moore said.

“If the enterprise is using an SSL load balancer, they should connect their IDS to a span port behind as well as in front of the load balancer in order to detect these attacks,” Moore said. “On the open source front, both Bro and Snort have signatures available that can detect the attacks in the wild. [Web application firewall] products and services are now rolling out updates to detect and block exploit attempts as well.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.