There have been reports of limited, targeted attacks hitting the vulnerability, which was revealed publicly yesterday and has been dubbed ‘Shellshock’. Patches that were issued by Red Hat are incomplete, and some in the security community believe this bug could be worse than Heartbleed.
“Already, a number of attack vectors for the vulnerability [have] been discovered, and everything that uses the Bash shell contains the vulnerability,” said Kasper Lindgaard, head of research at Secunia. “The question for each product is, if there is a valid attack vector?”
The vulnerability – which impacts Bash versions 1.14 through 4.3 – affects Linux, UNIX and Mac OS X systems. The vulnerability allows an attacker to add malicious code to the environment variable, which will run once the variable is received. According to Symantec, the vulnerability can only be exploited by a remote attacker under certain circumstances. For a successful attack to occur, the attacker must force an application to send a malicious environment variable to bash.
“The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content,” Symantec’s Security Response Team noted. “An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.”
Red Hat said the company is aware that the patch for the vulnerability, CVE-2014-6271, is incomplete, but that customers should apply it anyway.
“An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions,” the company noted in an updated blog post today. “The new issue has been assigned CVE-2014-7169. We are working on patches in conjunction with the upstream developers as a critical priority.”
“For details on a workaround, please see the knowledgebase article,” the update continued. “Red Hat advises customers to upgrade to the version of bash which contains the fix for CVE-2014-6271 and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on.”
So far, the attacks seen in the wild are exploiting the CVE-2014-6271 vulnerability, and applying the latest system update will resolve this issue on most platforms, said HD Moore, chief research officer at Rapid7.
“The patch itself is insufficient to completely fix the issue, but is enough to stop the attacks that we are seeing in the wild,” he said. “Once an update becomes available to resolve CVE-2014-7169, this too should be rolled in earnest across the organization.”
Waylon Grange, senior malware researcher at Blue Coat Systems, said attackers began targeting the vulnerability within four-and-a-half hours of it being publicly announced.
“Blue Coat is already seeing DDoS botnets trying to utilize this vulnerability in their attacks and we expect that traffic to only continue to increase,” he said. “Shellshock has the potential to be the next Heartbleed and cause extensive problems worldwide. However, it is still early in the game and organizations need to be vigilant and make sure they take steps to protect themselves.”
A number of IDS solutions have released signatures to detect exploitation of these issues over non-encrypted HTTP traffic, Moore said.
“If the enterprise is using an SSL load balancer, they should connect their IDS to a span port behind as well as in front of the load balancer in order to detect these attacks,” Moore said. “On the open source front, both Bro and Snort have signatures available that can detect the attacks in the wild. [Web application firewall] products and services are now rolling out updates to detect and block exploit attempts as well.”