On September 24 The Mitre Corporation began tracking a vulnerability discovered by Stephane Chazelas, a UNIX/Linux and Telecom Specialist at SeeByte.  The vulnerability, named “Shell Shock” by the cyber security research community, is present in BASH (Bourne-Again Shell), a commonly used software tool used in a variety of UNIX based systems like LINUX and Mac OS X.  While Shell Shock has yet to receive a great deal media coverage outside of the tech community, the scope and severity of this vulnerability is significantly greater than the Heartbleed bug.

The scope of systems at risk of having the Shell Shock vulnerability includes any number of devices that use BASH on LINUX or Mac OS X including; routers, servers, Android phones, and industrial control systems in the manufacturing and energy sectors.   The National Institute of Standards and Technology (NIST) scored Shellshock of severity level of 10 (High) because of the relatively low complexity required to develop an exploit against the Shellshock, and the significant impact of such an exploit if it were to proliferate.  The vulnerability could allow an adversary to remotely open a command shell and take complete total control of the victim device.   The Mitre Corp began tracking Shellshock under CVE-2014-6271, but issued a follow up with CVE-2014-7169 after determining that the patch in the initial CVE was incomplete.

The good news is that not every system that uses BASH is vulnerable to remote exploitation.  The most likely attack vector will be against WEB servers using CGI scripts.  For Mac OS X users, C|net reports that according to Apple,  “the vast majority of OS X users are not at risk to recently reported bash vulnerabilities.”

What can you do?

1. Run the following command to test if your version of Bash is vulnerable to CVE-2014-6271/7619.  If the  output contains only the word vulnerable, your version of BASH is vulnerable.

$ env ‘x=() { :;}; echo vulnerable’ ‘BASH_FUNC_x()=() { :;}; echo vulnerable’ bash -c “echo test”

Red Hat  has identified a number of different outputs from the command above based upon different versions of BASH.

2. Apply patches to vulnerable systems to update Bash to a non-vulnerable version.

3.  If a patch is unavailable for the specific LINUX distribution you are using, recommend switching to an alternative until a patch is available.

4.  Be vigilant against unusual activity on your network. Security vendors are working diligently to develop patches and provide solutions for their particular systems which will help protect against exploitation of the Shell Shock vulnerability… but be aware that adversaries are working harder to develop an exploit.

EdgeWave EPIC Security Systems are engineered from the ground up to defend against external attacks targeting vulnerabilities like Shell Shock.  Visit the EdgeWave Alert page for up to date information on the BASH bug.