Shellshock Security Flaw, Responds by Google and Amazon, Industry review of recent threat

Published: Fri, 26 Sep 2014 by Rad

Hackers exploit 'Shellshock' bug with worms in early attacks on Thursday Sept 25, 2014. They have begun exploiting the newly identified "Shellshock" computer bug, using fast-moving worm viruses to scan for vulnerable systems and then infect them. Cyber security experts are sounding the alarm that the Shellshock bug, a 22-year-old flaw in the code of a commonly used software, could be used by hackers to take over millions on computers.

Shellshock takes advantage of computer code that accidentally allows hackers to issue software commands to networked computer systems. A flaw in that code – used by devices based on the Unix operating system, including Apple’s OS X – could allow hackers to take control of remote systems and execute commands.

What is Bourne shell and bash

The Bourne shell (sh) is a shell, or command-line interpreter, for computer operating systems. The Bourne shell was the default Unix shell of Unix Version 7. Most Unix-like systems continue to have /bin/sh—which will be the Bourne shell, or a symbolic link or hard link to a compatible shell even when other shells are used by most users.

Bash is a Unix shell written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell (sh). Released in 1989,[5] it has been distributed widely as the shell for the GNU operating system and as a default shell on Linux andMac OS X. Bash is a command processor, typically run in a text window, allowing the user to type commands which cause actions. Bash can also read commands from a file, called a script. Like all Unix shells, it supports filename wildcarding, piping, here documents, command substitution, variables and control structures for condition-testing and iteration.

Most Linux web servers will have shell installed. It is estimated that 60%+ web servers run on *nix version of operating system.

"It's worse than Heartbleed in that it affects servers that help manage huge volumes of Internet traffic," Darien Kindlund of the cyber security firm FireEye wrote in a blog post. "Conservatively, the impact is anywhere from 20 to 50 percent of global servers supporting web pages."

abcnmews.go.com/cite>

However, software company Red Hat noted that while "it's certainly plausible that some devices may be affected by this flaw, it won't be very common."

The flaw was discovered by open source developer Stephane Chazelas. He contacted Chet Ramey, the Ohio man who has maintained the software for the past 22 years as a hobby, to notify him of the flaw, according to the New York Times.

Severe security warning

The two men then worked with a group of open-source security experts and were able to create a patch within hours, the Times reported. Then came the tough part: They quietly contacted software makers while trying to make sure they did not tip off hackers to the vulnerability.

An alert from the National Institute of Standards and Technology rated Shellshock a 10 out of 10 in terms of severity and also noted that the flaw is relatively easy for hackers to exploit, however it was unclear what damage, if any, Shellshock has caused.

Google has taken steps to fix the bug in both its internal servers and commercial cloud services, a person familiar with the matter said. Amazon released a bulletin Thursday that showed Amazon Web Services customers how to mitigate the problem.

Check if you are vulnerable and update your operating system with patched bash

You can check if you're vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"

More about prevention and industry patches can be found in following blog post from red Hat engineers: Bash specially-crafted environment variables code injection attack. Red Hat is company behind famous and most commercially succesfull Linux distribution:Red Hat Enterprise Linux.

Resources and related articles

Our previous news stories