Attackers have begun using a serious vulnerability in Bash, the popular command-line software for Linux, to spread malware to vulnerable Web servers worldwide, according to early reports.
The attacks come less than 24 hours after software firms first reported the vulnerability, which some security firms have promoted as “Shellshock” but has been assigned CVE-2014-6271. The flaw in the Bash shell program allows an attacker to execute code on remote systems by passing specially crafted versions of arguments, known as environment variables, to programs on the targeted computers, such as Web servers using Common Gateway Interface (CGI), a popular way of creating dynamic Web content.
The exploit for the vulnerability is very simple, which could lead to a massive automated attack, frequently referred to as a “worm,” according to Robert Graham, owner and principal consultant for Errata Security, a consultancy. Graham did an initial scan of the Internet and quickly found 3,000 vulnerable systems.
“If you have an Internet-facing Linux server, you need to get it patched now,” he told eWEEK. “Typically, [large] companies have a budget for four or five emergency patches every year. One of those was Heartbleed, and this should be another.”
Most security researchers are warning that the flaw is trivial to attack. Yet, others are cautioning that it is still not known how many Linux servers have the combination of security failings that allows exploitation. A server has to have some channel that takes untrusted data and passes it to the Bash shell, and that channel has to be accessible through the Internet.
“We know this bad code is everywhere, but that is not enough,” Dan Kaminsky, chief scientist at White Ops, an anti-fraud firm, told eWEEK. “In order to be vulnerable, it actually has to be exposed.”
Currently, information about attacks using the flaw is scarce, except that attacks have been detected against Web servers. “There are limited reports of the vulnerability being used by attackers in the wild,” Symantec stated in its analysis. “Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing.”
A partial fix is available from many vendors. While it does not solve the issue, it does make it more difficult to exploit, according to the SANS Institute’s Internet Storm Center.
Some security experts have recommended that companies take the extraordinary measure of disabling CGI scripting functionality on any Web servers. Whether that path is right for a company depends on its threat assessment, says Troy Hunt, a security consultant who wrote up a long analysis of the Bash bug. Businesses are going to have tough decisions to make, he said.
“In many cases though, that’s going to be a seriously breaking change and, at the very least, one that [is] going to require some extensive testing to ensure it doesn’t cause immediate problems [for] the website, which in many cases it will,” Hunt said in his analysis.
Other attack vectors will likely be discovered as well. While OpenSSH appears to also be a method by which the vulnerability can be triggered, other possibilities include Telnet and even DHCP, according to Hunt.
“The scope increases dramatically, so by no means are we just talking about exploiting web app servers here,” he said, adding, “At such an early stage of the public disclosure, we’ll inevitably see other attack vectors emerge yet.”