A few days ago, a security bug known as Shellshock was disclosed – a big, nasty bug discovered hiding in the wild of many Unix-based systems all over the world.
People went into panic. Mac users especially so, since OS X is a Unix-based Operating System (bet you didn’t know THAT). Governments went on high alert. And authorities recommended users to ‘close the windows, shut the doors, and hunker down in preparation for the possible fallout‘.
While updated patches continue to hit the Web, Vulcan Post sat down in the midst of the kerfuffle with Lai Zit Seng, an IT Architect at the National University of Singapore to find out more about what Shellshock actually is, and if it is really worth wigging out over.
What is Shellshock?
Shellshock is a recently disclosed vulnerability in a very popular Unix shell known as GNU Bash. It allows attackers to cause programs, which are dependent on this Unix shell, to execute arbitrary commands and thus gain unauthorised access to a computer system. Attackers can then subsequently use the access to steal data, take control of the computer system, or use it as a platform to launch other attacks.
What is Unix, and what is a ‘shell’?
Unix is an operating system (OS) similar to DOS and Windows. It exists in many variants, or Unix-like systems the most notable of which are Linux and Apple’s Darwin, which is the core of the OS X operating system released in 1999.
A shell is a text-based interface, where you type commands, and receive text responses. The Windows CMD.EXE is an example of a shell. So is GNU Bash.
How does Shellshock affect computer systems?
Hackers who exploit the vulnerability can tell the device carrying an affected version of GNU Bash what to do, remotely.
This is as good as the remote attacker having “login access” to the computer system to execute any command he or she wishes. Attackers can read files, change files, exploit another vulnerability to gain more privileges, or use the computer system as platform to launch other attacks.
Which OS are vulnerable to Shellshock?
GNU Bash is popularly included in many Unix type operating systems, so most of them are going to be affected by the Shellshock vulnerability. This includes Oracle Solaris, FreeBSD, and just about all Linux distributions.
Update: Apple has just posted the OS X Bash Update here.
What versions of Bash are affected?
Versions since 1.14 until 4.3, before it is patched. Version 1.14 is from year 1994. Yes, that’s some 20 years of GNU Bash affected by Shellshock.
Why would anyone have GNU Bash on their computers? How popular is it?
Windows users will probably not have GNU Bash, because Windows does not come with it, and most Windows users don’t have a need for such a shell anyway. However, it is a very popular shell in Unix operating systems, and that includes just about all distributions of Linux. Other Unix type operating systems include Solaris, FreeBSD.
There are many shells. GNU Bash is certainly one of the most popular, if not the most. This means that anyone using a Unix system will be affected, so that means any industry that uses IT.
Why are governments so worried about Shellshock?
Governments are understandably concerned about Shellshock because of its potential to be exploited by cyberterrorists to attack critical information infrastructure. A Shellshock exploit could also be used to do mundane attacks like web page defacements.
Should regular users (home users, offices) be as worried?
Generally, no. Regular users probably run a regular operating system like Windows or OS X. Windows does not come with GNU Bash. Apple says OS X is safe by default. Not so regular users may somehow put GNU Bash in their Windows, or turn on advanced services in OS X, or run Linux. I think these users should know how to deal with the vulnerability. The major Linux distributions, for example, makes the GNU Bash fix easy via their auto-update mechanism.
What can regular users do to protect themselves?
Honestly, I can’t think of anything regular users need to do, apart from adopting good cyber security practices (avoiding dubious links and websites, carrying a proper antivirus and firewall settings). If you ask me, I’d keep an eye on businesses that fail to deal with Shellshock and remember to avoid giving them my business!
What are the potential ramifications of Shellshock for Singaporean users (including regular consumers and the government, or big companies)?
I feel Shellshock is not very different from the many other big vulnerabilities that we’ve had to deal with, Heartbleed being one of the recent ones. Such vulnerabilities are not going to end with Shellshock. Certainly many more are going to come. System administrators need to deal with these vulnerabilities as they come.
More importantly, such events like Heartbleed and Shellshock should continue to underscore the critical need to understand security and create systems that are secure by design. Many times we see in IT projects that security is an afterthought. IT security needs to be a central pillar in most, if not all, institutions.
What’s in store for the future? Will Shellshock get bigger/better, so to speak?
The Shellshock vulnerability did turn out to be a bigger bug than it was initially disclosed, but I think that’s all there is to it for now. Subsequently, it will be just another addition to the arsenal attackers have at their disposal. There are going to be servers that don’t get patched for a variety of different reasons. Some bad guy is going to find them some day and exploit that.
In summary, is Shellshock worth the hype?
Shellshock is a significant vulnerability, and it deserves urgent attention from system administrators to patch and secure their systems. On the other hand, it’s just one of the many other IT security vulnerabilities. Shellshock is exciting, but life needs to go on.
Lai Zit Seng is an IT Architect at the National University of Singapore, where he manages network operations, Unix server operations, data centre facilities, and IT security for the School of Computing. When he isn’t writing lines of code that could vanquish you into the abysses of cyberspace, he can be found blogging away here about other cool stuff.