Ask The Cyber Security Expert: How scary is shellshock?
Shellshock is the latest and greatest computer bug. It is big news, turning up on the BBC and in other non tech media outlets. How bad is it? Will civilisation be plunged into chaos? Should you start the looting now? We dragged the Cyber Security Expert away from his Friday repose (reading his back issues of Dragon magazine) to find out more.
What is shellshock?
Shellshock is the name given to a new vulnerability (specifically CVE-2014-6271) in the Bash shell. It’s possible to drive your computer in two ways; through the use of the nice graphical interface, which you are using right now as you are reading this, or through a command shell which allows you to type commands, which your machine then executes and shows you the results. Underneath the modern slick user interfaces we are all used to, all of our computers will have a shell of some description, however if you are a non-technical user you probably never have to use them. Bash is an extremely common, and venerable, shell widely used in Unix and Linux based operating systems. Unix and Linux based machines underpin many of the applications we use everyday on the internet. You can see why this bug might be a bad thing.
We’ve talked about hacking and vulnerabilities before, here. We understand that hacking generally involves providing software with unanticipated input with the aim of getting the target computer to fail in a way that gives us access (or at least is in some way advantageous to us as a hacker). Shellshock does just this. Bash has a concept called environment variables – when you are typing away in Bash these are used to ensure you can run the commands you want, navigate around directory structures, and a whole variety of other elements which define your user experience. This is a good thing. Unfortunately Bash does not validate the data passed to it when environment variables are set, meaning it is possible trick the shell into running commands instead of just setting an environment variable.
So for (a simplified) example, lets say I wanted my default text colour to be blue, I might have an environment variable which looked like this;
COLOUR = Blue
However, I can trick Bash into running a command by setting the COLOUR variable thusly;
COLOUR = Blue ; rm importantinfo
(rm stands for remove – the delete command essentially). This example would result in the computer happily deleting the file importantinfo.
This is clearly bad, but it gets a lot worse. A lot of web applications run on Linux or Unix machines, and one way that web applications interact with the computer they are running on is through running commands using the Bash shell. When web applications construct the command they want to the Bash shell to run, they take relevant parameters passed by the web browser of the user (the person browsing the website) and turn them into environment variables. These are then used by Bash when running the command on behalf of the web application. This means it is possible for hackers to manipulate websites running on vulnerable computers in order to get them to execute arbitrary commands.
That sounds bad. What can I do?
It is bad, though there not entirely awful. Firstly if you are running a Windows based web server you are fine. Secondly, the above method of interacting with the underlying computer has been recognised as insecure for some time, and hence modern, well written websites should not be vulnerable. Still, that means an awful lot of websites will be vulnerable. Checking your website should be the first port of call – are you on Windows or not? If not, then you need to confirm if your web applications use CGI scripts, or other potentially vulnerable methods (there is a well written technical description here). Patches have been released and are available for most of the common Linux operating systems, and whilst not perfect, they should be installed promptly.
After the website you need to review what other services you offer to the internet; do clients connect to you network? Do you allow staff remote access? If any of these services are hosted on Linux machines, they may be vulnerable. Again, patch as soon as possible.
So is that everything?
Sadly not. Whilst web sites are the most obvious targets, Linux and Bash are everywhere. Bash can be found in Mac OS X, and you can open a command shell and demonstrate the vulnerability exists (although a statement from Apple insists most users are not at risk, and they are working on a fix for those who are). Linux is also widely used across a variety of appliances and other devices with embedded operating systems, and again Bash is likely to be used on many of these. Equally websites aren’t the only applications that offer services to network users – any device running Bash which offers any service may be vulnerable. That is not a short list.
The fallout from this is likely to go on for a while. In the immediate future there will be a rash of compromises of web servers which ran insecure web applications, and which were not rapidly patched. Even now, just one day after the bug was announced, there are new ways of exploiting it being announced by security researchers.
What else can I do?
If you are running intrusion detection systems, (such as our very own Watch Me! service) then these will alert for attempts to exploit this vulnerability. Patch any Linux machines now, and check with vendor websites for other advice. We will provide more information as it becomes available.
If you are worried you might be vulnerable, or aren’t sure what to do if you are, then why not contact us? We can help you safeguard your business.
Should I start the looting?
This will run and run, but is unlikely to lead to the collapse of modern civilisation. There will be protracted, and often damaging, exploits I’m sure, but for now I think its safe to put down the bin and step away from the shop window.
The Cyber Security Expert