US-CERT is warning of a critical vulnerability in the Bash command processor. The flaw, uncovered by software engineer Stephane Chazelas, potentially impacts all Unix-based operating systems, including Linux and Mac OS X.
“Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system,” the US-CERT alert notes.
“This is without a doubt a much bigger deal than Heartbleed; the bug is incredibly easy to exploit, vulnerable programs are more widespread, and the consequences will be more severe,” SilverSky Labs vice president Brandon Edwards said by email. “Expect chaos and mayhem as the bad guys now rush to take advantage of it before it is patched.”
Security expert Graham Cluley warns that the flaw might well be exploited to create a worm that takes avantage of Bash’s ubiquitousness. “If such a worm materialised it would, without question, make the Bash bug a more serious threat than the HeartBleed OpenSSL bug that impacted many systems earlier this year,” Cluley wrote in a blog post.
And according to AlienVault Labs director Jaime Blasco, that’s already happening.
AlienVault has been running a honeypot for the past few days that emulates a vulnerable system. “[W]e found two worms that are actively exploiting the vulnerability and installing a piece of malware on the system,” Blasco said by email. “This malware turns the systems into bots that connect to a C&C server where the attackers can send commands, and we have seen the main purpose of the bots is to perform distributed denial of service attacks.”
“The problem with Bash is that it’s used for everything,” Easy Solutions CTO Daniel Ingevaldson wrote in a blog post examining the flaw. “On a Linux-based system, Bash is the default shell, and anytime a Web-enabled process needs to call a shell to process input, run a command (such as ping, or sed, or grep, etc.), it will call Bash.”
“Everyone should watch their logs carefully — this exploit is noisily and easily logged — and patch as soon as possible,” Ingevaldson added. “In addition, given the risk that the patches may not be effective, organizations should consider monitoring to ensure their devices are not being used to host phishing or other attacks.”
Malwarebytes Labs senior security researcher Jerome Segura also said it’s going to take a while to ensure that all vulnerable systems are patched. “While patches have been issued, system administrators will be working long shifts to go through every single server, router and other piece of equipment that uses the Bash shell,” he said.
Most importantly, the range of devices potentially affected by the flaw reaches far beyond just PCs and servers.
“I suspect that many of the Internet of Things, or Internet of Everything, devices that have been distributed have Linux roots,” Authentify vice president and product architect Alan Dundas said by email. “How will the small CPU in your thermostat prevent malware introduced via a Bash flaw from sniffing around whatever else is connected to it? It probably wasn’t designed to have that capability.”
“Therein lies the fatal error of connecting lots of simple items into a complex network without thoroughly evaluating what could go wrong,” Dundas added.
An unfortunately prescient eSecurity Planet article recently examined the security risks inherent in the Internet of Things.