September 25th 2014
If you have a computer, server or mobile device running non-Windows operating systems – including Apple's OS, Linux and other UNIX-based systems – you may be facing a severe security threat from a bug dubbed Shellshock. It is thought that Android devices may also be affected. You also need to be on your guard against phishing emails tricking you into a fix for the bug … see bottom of this story for details.
Experts are warning that more than 500 million devices worldwide may be affected – a considerably higher number than with the recently-discovered Heartbleed bug which affected 'only' half a million machines.
The vulnerability is via a standard command prompt program installed on them called Bash (short for Bourne Again Shell), and affects versions which go back to Bash 1.14 – first released in 1995.
Attackers can potentially take over the device's operating system, access confidential information and use it as if it were their own. Shellshock is also thought to be considerably easier than Heartbleed for hackers to exploit, leading to fears that they will do so in force over the next days and weeks. Surrey University internet security expert Professor Alan Woodward told the BBC: "Whereas something like Heartbleed was all about sniffing what was going on, this was about giving you direct access to the system. The door's wide open."
Many web servers running the Apache system are also vulnerable.
HOME USERS: CHECK YOUR MANUFACTURER'S WEBSITE FOR UPDATES
PROFESSIONAL USERS: HERE'S HOW TO PATCH NOW.
CERT-UK -the UK National Computer Emergency Response Team – provides the following information and advice. This will be updated as and when it is available.
Shellshock (ID CVE-2014-6271) has a working patch for most distributions (more details in the below Advisory link), however there are reports that the patch is not a complete fix and so a further vulnerability ID has been established (CVE-2014-7169).
There are patches available for many of the major Linux distributions, such as:
– Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
– CentOS (versions 5 through 7) (http://lists.centos.org/pipermail/centos/2014-September/146099.html)
– Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS (http://www.ubuntu.com/usn/usn-2362-1/)
– Debian (https://lists.debian.org/debian-security-announce/2014/msg00220.html)
You can verify if a system is vulnerable by entering the following command:
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
Mitigation advice
Patch systems at the earliest possible opportunity.
Follow good cyber security practices to secure internet connected devices:
– Block unnecessary inbound traffic at the firewall
– Disable unnecessary services running on devices
– If running web server software, ensure it runs from low privilege accounts
– Filtering input to websites, through a Web Application Firewall, can also help to limit impact
– Ensure logging and auditing functionality is enabled and actively monitored
Disabling cgi-bin functionality will help to mitigate some of the impact of the vulnerability, but may have an impact on websites running it
Good general description: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
Akami reference: https://blogs.akamai.com/2014/09/environment-bashing.html
Potential scam email threat
You are also warned to be on your guard against scam emails recommending you download and run software to fix the Shellshock bug by clicking on a link or downloading a file. Scammers generally take advantage of situations such as this to infect your device with spyware or trick you into revealing your personal details in order to commit fraud or identity theft.