Remember Heartbleed, that age-old bug that only surfaced last year and left more than half of all internet servers around the world exposed? Looks like we might have yet another Heartbleed on our hands. This one has been codenamed Shellshock. Experts are already saying the Shellshock exploit could impact millions of Unix systems that operate on Linux or Mac iOS. And may even threaten consumer devices including home routers.
Shellshock is considered so bad, the U.S. Government’s National Vulnerability Database has given it its highest score, 10 out of 10, for severity. The Shellshock exploit has been described as a fast-moving worm that’s rapidly searching for servers with unpatched vulnerabilities and then exploiting them. And there may be plenty to exploit.
The vulnerability it exploits is in software called Bash, which stands for Bourne Again Shell. Bash is open source software that’s been around for nearly quarter of a century and so no one is sure how long it’s been exploited. Bash is a code that allows users to issue simple text commands that can control their servers.
Once hackers use the Shellshock exploit to take advantage of unpatched versions of Bash, they can wreak havoc. They can take control of the server, steal information on it, destroy information on it, scan for other vulnerable devices, and use the server to plant malicious code and attack other servers and sites.
A report by Ars Technica interviewed one researcher alone who found more than 3,000 vulnerable web servers already being exploited by botnets using the Shellshock exploit, and many experts said that they identified attacks based on the exploit within only hours of its first public disclosure.
According to Ars, as of September 25th “A test on Mac OS X 10.9.4 (“Mavericks” showed that it also has a vulnerable version of Bash. Apple has not yet patched Bash, though it just issued an update to command line tools.”
While organizations rushed to patch the vulnerability, it turned out that the patch wasn’t enough. That’s in part because not enough is known about the attack, and observers are saying it could take weeks before we know enough about Bash vulnerabilities to have a long-term fix. RedHat Linux, the top Linux provider, has warned its customers that while it has issued a patch, the patch is still considered incomplete and will not fully stop exploits.
One of the biggest challenges for security and it administrators is knowing where to start and where to look. So many organizations have used Bash in so many places, there are probably many instances where it won’t be found and patched.
SiteLock’s Web Application Firewall (WAF) has already been updated with the signatures needed to detect and block Shellshock. The vulnerability was shared with the security community in advance of public release which gave us sufficient time to update our scanners.
Exploits like Shellshock would normally register as high risk anyway and would have automatically been blocked. Our website scanners are updated constantly to accommodate any new intelligence and signatures, and by default closes any communications channels that could be used in the attack.
We are constantly monitoring discussions about Shellshock and incorporating any relevant any intelligence to our WAF.
Be assured that the entire team at Sitelock is watching developments carefully. If you’re a SiteLock user, you can be certain that we’re watching for any unusual activity on all our protected sites. And if you’re not a SiteLock customer, maybe it’s time you changed that. Give us a call at 855.378.6200 to speak with a Website Security Consultant today.
Google Author: Neal O’Farrell