Security experts are keeping an eye on the Shellshock vulnerability, also known as the Bash (Bourne-Again Shell) bug, as a focus for malicious scanning and at least one botnet. They warn, though, that hackers haven’t even begun to test the limits of the vulnerability.
The Shellshock vulnerability, also called the Bash (Bourne-Again Shell) bug, could be even an even greater threat than the Heartbleed bug. Disclosed in April, Heartbleed threw a scare into Internet users by exploiting OpenSSL cryptography vulnerabilities to allow theft of servers private keys and users’ session cookies and passwords via fake Web sites.
The Internet security firm FireEye reported that it has seen plenty of malicious traffic using the Bash bug, some of it possibly from Russia. The activity has included DDoS attacks, malware droppers, reverse shell hacks, backdoors and data exfiltration.
Elsewhere, security researchers at Incapsula logged more than 17,400 attacks at an average rate of 725 an hour. The company said that more than 1,800 domains in its network were attacked from about 400 unique IP addresses, more than half originating in China and the United States.
Attackers are using scanners that bombard networks and seek out vulnerable machines. To this point, most of the attention from hackers has gone to the Common Gateway Interface vector, an interface between a Web server and executables that produce dynamic content.
A Threat to UNIX Machines
The extent of Shellshock could go far behind Web servers, however. The bug could become a serious threat to computers using Unix-based operating systems, including Linux and Apple’s Mac OS X. From there it has the potential to spread to all Internet-connected devices. Bash is the software used to control the command prompt on many Unix computers, and Shellshock can exploit it to take complete control of a system.
Shellshock could also allow hackers to gain access to every Internet-enabled device in a person’s home by way of products as benign as smart light bulbs.
Hard to Count Vulnerable Devices
Experts say one reason is that the bug interacts with other software in unexpected ways because so much software uses the Bourne-Again Shell in some way. That means it’s almost impossible to fully catalog all the devices and products that could be vulnerable to the Bash bug.
Where Shellshock differs from Heartbleed is that the previous bug only affected a specific version of OpenSSL. Bash has been around long enough that lots of older devices on networks are vulnerable, which means the number of systems that need to be patched is much greater — especially considering that many others won’t be patched.
An early patch for the vulnerability turned out to be inadequate. Further patches against related vulnerabilities were released over the weekend. Given the ease with which attackers have exploited Bash and what little trouble they’ve had with the large Bash user base, the problems created by Shellshock might be just beginning.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
