Big vendors including Oracle, Cisco and Red Hat have rushed to issue security patches as reports emerged of exploits based on the so-called ‘Shellshock’ (a.k.a ‘Bashdoor’) flaw. However, important Oracle systems are still vulnerable.

The Shellshock flaw was hidden deep in the popular open source Bash command-line interpreter for Unix-based operating systems, and went undiscovered for 22 years. In the worst case scenario, it can enable an attacker to inject malicious commands into the shell and completely take control of the system.

Over the years, Bash has become an important part of most Linux distributions, as well as Mac OS. Experts say it poses danger to not just servers, but also routers, smart home appliances and other embedded systems - anything that opens a bash-based interface to public gaze.

The US National Institute of Standards and Technology has rated Shellshock 10 out of 10 for severity but low for complexity, meaning it could be easily abused by hackers.

It was acceptable in the 80s
Bash (Bourne Again SHell) is a UNIX-like command-line interpreter created way back in 1980 as part of the open source GNU Project to enable access to an operating system’s services through typewritten commands.

On 12 September, UK-based open source enthusiast Stéphane Chazelas discovered a critical flaw in Bash which had been undetected since around 1992. It was officially disclosed on 24 September and christened Shellshock.

Bash runs in the background of countless modern applications and services, and its popularity has prompted fears that the aftermath of the discovery could be “worse than Heartbleed”. The so-called Heartbleed flaw was an undiscovered weakness in the open source OpenSSL secure web protocol.

Concern over the Shellshock flaw were dismissed by the founder of the Open Source movement Richard Stallman, who told The Guardian that “any program can have a bug” and Shellshock would simply be fixed and forgotten about. He added that proprietary software was more likely to have “intentional bugs” and “malicious functionality”.

Meanwhile, security vendors including AlienVault, Zscaler and TrendMicro have reported that thousands of servers have already been compromised using Shellshock. So far, the vulnerability was mainly used for bot acquisition and Distributed Denial of Service (DDoS) attacks, but it has the potential to cause more harm than that.

"CVE-2014-6271, which is commonly being referred to as “Shellshock”, allows a variety of remote attacks, mainly through Linux web servers that run CGI scripts. However, popular services such as Secure Shell (SSH) and even internal network protocols that run on Unix-based systems, such as DHCP servers, may be vulnerable,” explained Rich Walchuck, director of engineering at Tenable.

“Shellshock also allows a variety of privilege escalation attacks where a non-administrator Unix user could cause commands to be run as root."

Time to patch
The GNU Project issued a set of patches on Friday for most operating systems, fixing not just the original vulnerability (CVE-2014-6271), but three related issues as well. It was followed by scores of vendors rushing to adapt the patches for their own software.

On Friday, Oracle published fixes for Oracle Linux and Solaris, but warned that around 30 of its products remain vulnerable to Shellshock, including high-end Exalogic storage systems.

Cisco had identified 31 products vulnerable to Shellshock, with another 23 under investigation. All of the confirmed vulnerabilities have had patches issued. The company has also created signatures for its intrusion prevention and detection systems so that attempts to exploit Shellshock can be blocked.

Red Hat has released patched versions of Bash for RHEL, CentOS and Fedora, and apologized for the delay. “When a second issue with Bash was found a few minutes after the first one went public, we knew there was something wrong,” wrote Huzaifa Sidhpurwala, security engineer at Red Hat.

“We could have followed a duct-tape approach and issued patches to our customers quickly or we could have done this correctly. Applying multiple security updates is extremely difficult!”

Apple said that the vast majority of OS X users are protected from the effects of Shellshock by the operating system itself, but promised to issue patch for “advanced Unix users” who might have changed the system’s settings.

"It will take a long time for all of the implications of the Shellshock vulnerability to come to light. The most obvious vulnerable systems will be patched over the next few days, but there will be corner cases, particularly where Linux is used in appliances and embedded devices, where the vulnerability will linger on for a long time,” said Tom Cross, director of security research at Lancope

“This is similar to what we've experienced with Heartbleed, where months later we're still hearing about things like VPN concentrators getting compromised in the wild, and researchers are still discovering things that can be done with it. Shellshock is particularly concerning in the context of Industrial Control Systems and SCADA, where there may be many vulnerable devices that are difficult to upgrade.”

“Earlier this year, a sophisticated waterhole attack targeted users of a variety of industrial control systems and industrial cameras. Those attackers now have an entirely new attack vector to explore."