All You Need Know About the ShellShock Bug

The shellshock bug has caused jitters in the security community this week. The bug which have been laying low for the last two decades, is a serious software vulnerability in UNIX-like operating systems. It is tricky to patch and very easy to manipulate. It could be easily used to compromise millions of severs and devices hence the panic.

Shellshock bug originates from coding mistakes in Bash, a software initial authored by programmer Brian fox in late 80’s. “BASH-Bourne Again SHell” is a pun on Stephen Bourne  the author of UNIX shell simply know as SH. The Bash uses text-based, command line interfaces to execute other programs. It utilizes Internet Relay Channel (IRC)-a popular communication channels used by hackers to distribute their programs.

The software is compatible with various operating system including, Linux, GNU and Apple’s Mac operating system. Technically, the bug is a primarily a problem of users of UNIX, Linux and other related operating systems.  That notwithstanding, Bash is also widely utilized in other internet connecting devices. That means the bug vulnerability could spread from standard iMacs to more common appliances such as smart fridges, thermostats , IP cameras  and different home routers from manufactures such Linksy,  Netgear and Cisco.

Security experts fear that the shellshock bug could be worse than the dreaded Heartbleed that plagued the world earlier in April. Heartbleed was used by attackers to acquire sensitive information such as encryption keys and passwords from vulnerable servers. It exploited how your browser communicated over an encrypted channel. Such information was used to access the system later.

Shellshock is more dangerous, it enables the attacker to gain full control of your system without necessarily having a password or the encryption keys. Attackers can remotely executes any commands on a vulnerable system. This implies that it is possible to create a replicating worm that could be propagated over the network, compromising millions millions of systems within a short time.

“Auditing systems for shell will not be like scanning for Heartbleed. Heartbleed scans could be completed by anyone with network access with high accuracy. With shellshock, the highest form of accuracy to test for this is to perform a patch audit. IT auditing shops that do not have a mature relationship with their IT administrators may not be able to audit for this.” Said Ron Gula CEO of Tenable Security on his Company Blog

Who is Vulnerable?

Everyone has freaked out, but in reality not all computers are vulnerable. Basically, the bug affects bash installed systems. That means all systems running on Unix Linux, Ubuntu or Mac OS, where Bash is installed by default are at risk.  That does not necessarily mean that attackers can easily target your system, they will need to access your computer’s bash program through the Internet. Cyber security experts FireEye, indicates that most likely targets are Internet servers and large computer systems

All windows based computers are safe. You also have no reason to worry if you are connected to the internet physically via the Ethernet cable or through a password-protected wireless network. Using untrusted wireless connection makes your system more vulnerable to the Shellshock bug. Windows users should however not be complacent. According to Mike Jackson, a cyber-security expert at Birmingham University, though you PC might be safe, the router you use for your broadband could be a Unix-based software and therefore you may be at risk of attack.

All eight version of bash, from the earliest 1.13 to the latest 4.3 are vulnerable to ShellShock. To test whether your version of bash is vulnerable, run the following commands.

$env x=’ () {:;}; echo vulnerable’ bash-c “echo this is a test”.  Or $env X=”() {:;} ; echo vulnerable” /bin/sh -c “echo stuff”

If the system responds with “Vulnerable this is a test” or any other “Vulnerable stuff” then your version of bash is Vulnerable and you should apply any available updates immediately.

VPN providesrs have been quick to assure customers on the safety of their Networks.  Vikings VPN posted on their blog page that all Viking Servers are 100% safe from the ShellShock Bug. “No shellshock related attacks were detected anywhere on Vikings Networks,” wrote Derick Zimmer.

PureVPN also ruled out any vulnerability in their networks. “In accordance with the guidelines issue by the US Computer Emergency Readiness Team, PureVPN has quickly patched up and updated all critical components to keep its users 100% safe and secure.”

Private Internet Access also took measures to ensure its customers won’t be targeted. “Following reports of attacks by a Bash bug named ‘shellshock’ started rolling in, PIA took additional security measures to ensure the privacy of its customers remained intact,” stated PIA’s Joseph Craig.

Meanwhile, Apple maintains that majority of its users are not susceptible to the attack, unless those who have customized their UNIX advanced setting. Apple also released a patch, although security experts warns that the patch could not be used to fix all vulnerabilities.

Although it is still too early to know the extent of ShellShock bug, there is evidence of attackers using the bug to stage attacks “in the wild”. Security researchers discovered the first shellshock Botnet- (a network of hacker-controlled computers operating maliciously as a group). The botnet known as wopbot seem to be targeting parts of United States and Department of defense.

Ali Raza Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a Master degree, now he combines his passions for writing about internet security and technology for SecurityGladiators. When he is not working, he loves traveling and playing games.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.