Sep 29 2014

5 Things Government Agencies Should Know About the Shellshock Bug

As organizations work on a fix for the Bash system software flaw, security experts warn the response to this vulnerability is far from over.

It’s been a few months since government agencies were put on high alert after revelations that the Heartbleed security flaw could leave their online passwords and encrypted Internet traffic exposed to hackers. Now, security experts say, a new vulnerability affecting Unix-based operating systems could be far worse.

The Linux and Mac OS security flaw, dubbed "Shellshock," could open up systems to cyberattacks, according to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT).

“Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected systems,” US-CERT says in a Sept. 24 notice on the problem.

Shellshock was discovered in the Bash system software that “comes pre-installed on Apple’s Mac and MacBook as well as millions of other computers,” reports The Los Angeles Times. In simple terms, it “allows users to write coded text commands that translate to actions on the computer, from simple things like deleting files to complex tasks like changing network set-ups,” the article states.

Here are a few facts government agencies should know about Shellshock.

How severe is the Shellshock bug?

The U.S. National Vulnerability Database rated Shellshock a 10 on its 10-point scale in terms of impact and exploitability. The score takes into consideration how the vulnerability is accessed and whether additional conditions are required to exploit it as well as how and to what degree a vulnerability would directly affect an IT system if exploited.

“This is one of the most significant exploitable vulnerabilities that I’ve seen in the last 19 years that I’ve been doing this, because of the dramatic ubiquitous impact on websites, cloud infrastructure, Android and medical devices,” says Trend Micro Chief Cybersecurity Officer Tom Kellermann. “The problem here is that exploit[s] are being developed as we speak.”

There are attack platforms, such as Metasploit, that enable those with malicious intentions to penetrate network defenses and gain unauthorized access to data and systems. In its assessment of Shellshock, Cisco reported: “Functional code that exploits this vulnerability is available as part of the Metasploit framework.”

What kind of damage could hackers do using this vulnerability?

“A successful exploit could result in a complete system compromise,” according to Cisco.

Attackers can use the exploit to launch distributed denial-of-service (DDoS) attacks, steal data, gain remote access to networked devices, create bots and steal data, Kellermann notes. As of last week, Trend Micro was trying to work with law enforcement to put a stop to two active botnets using the ShellShock vulnerability to “expand their colony, growing by hundreds of computers every couple of minutes,” he adds. “This is Christmas for hackers.”

Kellermann says about 51 percent of today’s websites use Bash functions. Computers and Internet of Things (IoT) smart devices that run on Unix-based operating systems are also at some risk, if they use Bash. However, Red Hat says reporting on the issue may be overhyped. In response to questions about home appliances and other IoT devices, Red Hat said: “In reality, embedded devices rarely use Bash, going for more lightweight solutions such as BusyBox, which includes the ash shell that was not vulnerable to these issues. So while it’s certainly plausible that some devices may be affected by this flaw, it won’t be very common.”

What are government contractors and other companies doing in response to the news about Shellshock?

“Everyone is running around trying to solve this problem,” Kellermann notes. He says his company, Trend Micro, developed free tools to help IT administrators “scan and protect servers, including web security and anti-malware tools to help protect their end-user.”

Red Hat issued what seemed to be a fix for the Shellshock bug, but “a researcher found a similar flaw that wasn’t blocked by the first fix,” the company reported, adding that other flaws have since been found in the fix.

While patches are being issued to address the problem, they aren’t complete fixes.

What should my agency do in response to Shellshock?

Kellermann recommends that agencies widely deploy detection systems to learn if there is an ongoing breach or one has occurred recently. By the time a complete fix is developed for Shellshock, hackers will have had plenty of time to install custom root kits and malware on vulnerable systems.

Once agencies have installed patches or changed all the locks on their doors, so to speak, they need to determine if anything is missing or if someone is still inside their network, Kellermann adds. DHS and Cisco also offer guidance for responding to Shellshock.

What are other governments doing?

In Canada, some government systems were taken offline, according to the Global News. “When the government became aware of this vulnerability, all federal government organizations were directed by the Chief Information Officer for the Government of Canada to patch vulnerable systems on a priority basis,” Kelly James, spokeswoman for the Treasury Board of Canada Secretariat, told the Global News.

“For vulnerable systems where no patch is available, departments have been directed to take those systems offline. We continue to take precautionary steps, while monitoring the vulnerability closely,” James said.


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.