What Does Shellshock Mean for My Enterprise Linux Operating System?

A critical vulnerability in the Bash command-line shell engendered concern in its wake, but what does the discovery of Shellshock mean for my enterprise?

What is Shellshock?

Shellshock is a wide-spread vulnerability affecting versions of GNU Bash through 4.3. It has been found in the wild, specifically in active exploits against web servers.

Dan Timpson, vice president of technology at digital certificate authority DigiCert, explains on the company’s blog

Bash is a command-line shell used in many Linux and UNIX operating systems. … While Bash is often thought of as simply a local shell, it is arguably one of the most installed utilities in any Linux system. Many applications invoke Bash to run external commands, like CGI scripts—and this is where Shellshock comes in.

When Bash is called in an infected system, an attacker could leverage the vulnerability to cause Bash to execute any commands in the malicious environment configured. Some OpenSSH configuration and DHCP clients may also be affected by Shellshock. A successful attack could affect systems in various ways. In addition to crashing or hosting malware, an infected system could be used by an attacker to breach systems and obtain sensitive data and network access credentials.

Security experts note that there are specific conditions that must exist in the infected system for this to occur. Regardless, they encourage users to install all patches for Linux and other systems using Bash. They also recommend that system administrators install the latest intrusion detection signatures to detect and block any attempts to exploit system vulnerabilities.

Bash Patches

Vendors including Cisco, Juniper Networks, Hewlett-Packard, and Oracle issued security updates for their products as a result. Networking gear was particularly vulnerable according to CRN, which reported:

Cisco Systems identified dozens of networking devices, firewalls and other gear that are impacted by the vulnerability. Users of networking gear from Fortinet, F5 Networks, Dell, Check Point, Blue Coat and Barracuda Networks are also impacted by the flaw.

Oracle has generated a list of products that are affected by Shellshock vulnerabilities, or might be affected by them, along with a list of Oracle products that have fixes available. The list includes products by PeopleSoft, Sun, Pillar and other Oracle brands.

There’s really nothing to be gained by panicking. If your organization is proactively installing upgrades and updates for software and hardware and following industry best practices on network security, there is most likely no need for extraordinary measures.

How to Check for Bad Bash

You may wish to check your system regardless. To determine whether the servers for which you are responsible may be vulnerable, ReadWrite suggests opening your Terminal program and entering the following:

$ bash –version

To search for the bug, type:

$ env X=”() { :;} ; echo vulnerable” /bin/sh -c “echo stuff”

If the response is “vulnerable stuff,” then it contains the vulnerability.

This is one of several recently-discovered vulnerabilities found in Bash. Some are very closely related and are, as a result, being lumped under the Shellshock rubric.

If you or your colleagues observe an unexplained spike in traffic on a specific server, odd changes in system CPU/memory usage, suspicious connections and processes, and similar activity, your system may be infected.

For the latest information on this and other security issues, visit the United States Computer Emergency Readiness website.

Should you need more specific assistance, please contact Datavail for more information on how we might best support you and your organization with custom solutions tailored to your database security needs.

Image by hatoriz/123RF.