The Shellshock vulnerability in the Bash (Bourne Again Shell), first reported last week, has been fueling thousands of attacks against Web servers around the world ever since. Though Shellshock is a critical vulnerability, there are multiple ways that organizations can protect themselves, with both Bash patches and security software that limits the risk of the core flaw.
"The vulnerability in Bash allows attackers to feed arbitrary commands for execution on a system," Karl Sigler, manager SpiderLabs Threat Intelligence at Trustwave, explained to eSecurity Planet.
As a shell scripting tool, Bash's primary purpose is to execute commands, but the Shellshock vulnerability abuses that functionality. The risk is high, because many different back-end services, including Web servers, are attached to Bash.
Trustwave's network of honeypot Web servers first began to see Shellshock-related attacks early on Sept. 25. Trustwave uses the honeypots, basically open Web servers with the ModSecurity Web application firewall (WAF) in front of them, to monitor the Internet for attacks.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Using our ModSecurity signature feed we were able to track a bunch of Bash exploitation attacks on the honeypots," Sigler said. "Some of the attackers are just probing to see if the servers are vulnerable and some are actually dropping exploits."
One of the Shellshock exploits that Trustwave has seen is an attempt to download and install a customized version of the open-source nginx Web server. The attackers will then have their own Web server on top of the vulnerable Web server to execute any commands they want.
While patches for Shellshock are now publicly available for all Linux and Mac OS X systems, so too is proof-of-concept (PoC) code for Shellshock exploitation. That PoC code availability has led to an increase in Shellshock attacks and probes.
"There are a lot of people that are able to grab the PoC code, and it's really such an easy attack," Sigler said. "Most PoC code comes out after a patch is released, and that's typically when we see a spike in exploit attempts."
Trustwave sponsors the ModSecurity open-source WAF project, and positions it as a key tool in the fight against Shellshock. Trustwave provides commercial signatures to its customers for ModSecurity. The open-source version has its own core ruleset as well.
"Whether you're using open source and just the core ruleset or if you're a commercial Trustwave customer, you'll get signatures that will detect and block the Bash vulnerabilities," Sigler said.
Even as Bash attacks grow, the core flaw is a command injection attempt which is a key detection feature in ModSecurity and WAF platforms in general, Sigler explained.
"Trying to execute commands line tools on a server is a common exploit attack, whether it's cross site scripting, SQL injection or Shellshock, so we just monitor for those commands in general Web traffic," Sigler said. "If we see it, we block it, even if we don't know which specific Web vulnerability the attack is trying to take advantage of."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.