There’s a new internet 0-day vulnerability spreading called Shellshock – code injection attack. It has a potential to affect around half of all websites on the internet (around 500 million), and millions or billions of internet devices such as routers, smartphones.
Shellshock can be exploited with just a few lines of code, giving just about anyone the ability to run any code on an affected computer. In simple terms, this means that it’s now relatively simple for anyone to gain access to a large portion of the world’s computers, and download/extract a wide variety of sensitive details.
Shellshock also has the potential to be turned into a worm — a self-replicating piece of code that automatically propagates to all Shellshock-vulnerable systems, potentially causing untold damage.
In technical terms, Shellshock is a vulnerability in a Linux (or *nix) program called Bash, with the formal designation of CVE-2014-6271. In the words of the US government’s NIST agency:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” (Emphasis added)
In simpler, non-technical terms, Shellshock is a vulnerability in a very popular program — Bash — that is present on almost every Linux-based computer and device in the world. If you’ve ever used the “command line” on a Unix-like system (Linux, Mac OS X, Android) then you were probably typing commands into a Bash shell. This vulnerability, which can be exploited via a number of routes (at least Apache and DHCP), allows an attacker to run code directly on the vulnerable system. It is very, very easy to craft these attacks — it’s basically as simple as writing a few lines of Bash shell script.
The only real solution to protect yourself against Shellshock is to install a patched version of Bash. For server admins, this shouldn’t be too difficult, though there will be a lot of computers to update. For normal people, the real concern will be updating any and all devices that run some kind of Linux-flavored operating system and have a vulnerable version of Bash. At the very least, this will probably mean a lot of wireless routers need to be patched. Other smart and internet-of-things (IoT) devices may also need to be patched: Smart TVs, smart fridges, WiFi-connected thermostats, and any similar household or office doodads.
Unfortunately, many of these devices were not designed to be updated easily. Many smaller, embedded devices are of the “fire and forget” variety, and many more will be
Amusingly enough, our best hope for mitigating Shellshock quickly is if a white hat hacker creates a worm that uses the Shellshock vulnerability to automatically spread across the internet, patching vulnerable computers and devices as it goes.