Shellshock Exploit Exposes Millions Of Servers To Hackers

Remember Heartbleed, that age-old bug that only surfaced last year and left more than half of all internet servers around the world exposed? Looks like we might have yet another Heartbleed on our hands. This one has been codenamed Shellshock. Experts are already saying the Shellshock exploit could impact millions of Unix systems that operate on Linux or Mac iOS. And may even threaten consumer devices including home routers.

What We Know About The Shellshock Exploit

Shellshock is considered so bad, the U.S. Government’s National Vulnerability Database has given it its highest score, 10 out of 10, for severity. The Shellshock exploit has been described as a fast-moving worm that’s rapidly searching for servers with unpatched vulnerabilities and then exploiting them. And there may be plenty to exploit.

The vulnerability it exploits is in software called Bash, which stands for Bourne Again Shell. Bash is open source software that’s been around for nearly quarter of a century and so no one is sure how long it’s been exploited. Bash is a code that allows users to issue simple text commands that can control their servers.

Once hackers use the Shellshock exploit to take advantage of unpatched versions of Bash, they can wreak havoc. They can take control of the server, steal information on it, destroy information on it, scan for other vulnerable devices, and use the server to plant malicious code and attack other servers and sites.

Who Is Being Impacted?

A report by Ars Technica interviewed one researcher alone who found more than 3,000 vulnerable web servers already being exploited by botnets using the Shellshock exploit, and many experts said that they identified attacks based on the exploit within only hours of its first public disclosure.

According to Ars, as of September 25^th “A test on Mac OS X 10.9.4 (“Mavericks” showed that it also has a vulnerable version of Bash. Apple has not yet patched Bash, though it just issued an update to command line tools.”

Vulnerability Fixes Are Only Part Of The Solution

While organizations rushed to patch the vulnerability, it turned out that the patch wasn’t enough. That’s in part because not enough is known about the attack, and observers are saying it could take weeks before we know enough about Bash vulnerabilities to have a long-term fix. RedHat Linux, the top Linux provider, has warned its customers that while it has issued a patch, the patch is still considered incomplete and will not fully stop exploits.

One of the biggest challenges for security and it administrators is knowing where to start and where to look. So many organizations have used Bash in so many places, there are probably many instances where it won’t be found and patched.

Steps You Can Take To Protect Your Servers

• Check if you use Bash and where. A number of websites have published scripts that will enable you to tell if you’re exposed. Check with Red Hat, Ubuntu or any other provider of Linux.
• If you’re vulnerable, download the patch. Then download again. This is a fast moving and rapidly changing security threat. Current patches may not be enough so keep checking for new patches.
• If in doubt, disconnect. A vulnerable server must be connected to the Internet in order for the attack to be successful.
• Talk to your host. They’ll be aware of the Shellshock exploit and should be able to tell you if you’re vulnerable and what they’re doing about it.
• Beware of scams. Expect hackers to start spamming out all kinds of alerts, patches, fixes and other bogus services to trick the unwary.

Are SiteLock Customers Protected From The Shellshock Exploit?

SiteLock’s Web Application Firewall (WAF) has already been updated with the signatures needed to detect and block Shellshock. The vulnerability was shared with the security community in advance of public release which gave us sufficient time to update our scanners.

Exploits like Shellshock would normally register as high risk anyway and would have automatically been blocked. Our website scanners are updated constantly to accommodate any new intelligence and signatures, and by default closes any communications channels that could be used in the attack.

We are constantly monitoring discussions about Shellshock and incorporating any relevant any intelligence to our WAF.

Be assured that the entire team at Sitelock is watching developments carefully. If you’re a SiteLock user, you can be certain that we’re watching for any unusual activity on all our protected sites. And if you’re not a SiteLock customer, maybe it’s time you changed that. Give us a call at 855.378.6200 to speak with a Website Security Consultant today.

Google Author: Neal O’Farrell