Shellshock, the vulnerability with a command interface Bash on Linux, Unix and Mac, is making headlines and exciting comment from across the cybersecurity industry, with some arguing that the impact of the bug could be in excess of a thousand times that of Heartbleed, the OpenSSL flaw from earlier in this year.
Many system admins will be wondering whether the hype reflects the true threat posed by the bug, and what can be done to protect against it. Though the picture is unclear right now, some facts have already been established.
What exactly is vulnerable?
Web servers run numerous scripts to generate content, one of which works via the Common Gateway Interface (CGI). In normal practice CGI reads your IP address, browser version, and other basic information – the so-called environment variables of your machine.
Shellshock, by contrast, allows hackers to tell the script to execute system level commands by inserting exploit code in their environment variables. What is more, it allows you to do this without even needing credentials of any sort.
Sounds bad. But how bad?
A report by the BBC had the potential number of affected machines at a "conservative" estimate of 500 million, and most of the security community agree it could be a serious problem. But the key word there is could.
When a vulnerability like this is discovered it is often hard to ascertain how many organisations have been affected as it lay unknown for so long. As Lawrence Jones, chief executive of hosting firm UKFast, said: "A lot of the existing proofs of concepts out there are specially designed to show how it theoretically could be compromised, not how it can be compromised on your average system."
So I’m safe then?
Possibly. There is some disagreement over whether the flaw can be exploited remotely, though early reports suggest it cannot. This means a threat can only come from within your organisation, which is especially good news for the Industrial Control Systems that may be affected.
On the other hand a lot of those in the industry believe it will be difficult to patch all of the devices and systems that are dependent on Bash. "In some areas this will be a challenge to fix," said Joe Hancock, cyber security specialist at insurance firm AEGIS London. "Many embedded devices are not designed with regular updates in mind and will never be able to be patched."
Is there any way I can check?
Yes. System admins can open a Bash shell (input interface) and put in the following code:
"env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
Those that are sent back the phrase "vulnerable" should update their system as soon as possible.
