Like most security bugs, Shellshock took the internet by a storm in 2014 and compromised millions of accounts. This deadly bug originates from the Bash (Bourne Again Shell) which is the default command-line interface on all Linux, Unix, and Mac-based operating systems.
The Shellshock vulnerability was first detected some 30 years ago but was not classified as an official and public threat until September of 2014. Even with the passage of time and numerous patches, this bug still remains a threat to enterprise security.
So what is Shellshock? Are you at risk? And how do you find out if you've already been affected?
What Is the Shellshock Bug?
The function of the Bash is to translate your commands into a language that the operating system can decipher. This bug is found in Bash's parsing code during the initialization sequence and allows the Bash to execute commands on the user's behalf unintentionally, allowing a hacker to remotely control everything.
Once the hackers have access to a remote vector, they start injecting Bash commands into the system. Essentially, the attackers perform remote code execution and run malicious scripts that seem like legit commands.
Who Is Affected by the Shellshock Bug?
Bash is not an internet-facing service but the reality is that many internet services such as web servers use environment variables to communicate with the operating system of the servers.
It mainly affects Linux, BSD, and Mac OS systems but since Linux powers a vast majority of internet servers and IoT (Internet of Things) devices, it should be presumed that any internet user can fall prey to the Shellshock bug.
Is Shellshock Still a Risk?
The good news is, the Shellshock is not as precarious when it first surfaced because a myriad of patches were developed to curtail it. However, the COVID-19 pandemic has left most organizations scrambling to ensure security for their ever-expanding remote workplaces.
Cyber threats have loomed since the advent of the internet, but now more than ever employees need extra security measures in place. Not only does a remote work culture create dangerous opportunities for hackers and phishers but every home device and connection can be a potential entry point for malicious threat actors.
Since Shellshock is considered to be a very inexpensive attack, it provides potential opportunities for attackers to easily exploit their target. Even with the patches in place, any organization with outdated security measures can still be at risk.
Is There a Risk To Windows Users From Shellshock?
The prime targets of the Shellshock bug are Linux and Unix-based machines. Windows users are not directly affected.
However, cybercriminals are always finding innovative ways to exploit weaknesses against Windows users as well. Therefore, it is imperative that Windows users keep their operating systems up-to-date and patched at all times.
How To Find Out if You Are Affected by Shellshock
A part of mitigating risks is to keep track of potential vulnerabilities. Fortunately, it isquite easy to see if you are affected by Shellshock.
Since this bug is relatively old, there are a variety of vulnerability scanners available and some of them are even free, like the bashcheck which can be downloaded using Github.
For all the tech-savvy geeks out there, simply punching in the following command in your Bash prompt will reveal the truth:
env X=”() { :;} ; echo Bash is Infected” /bin/sh -c “echo completed”
env X=”() { :;} ; echo Bash is Infected” `which bash` -c “echo completed”
env VAR='() { :;}; echo Bash is Infected‘ bash -c “echo completed”
If your prompt returns a “Bash is Infected” message, it’s time to update your Bash.
Instead of “Bash is Infected,” your prompt might even display something like:
bash: warning: VAR: ignoring function definition attempt
bash: error importing function definition for `VAR’
Bash Test
If you are interested in testing the vulnerability of certain websites or CGI scripts, a tool called ShellShock’ Bash Vulnerability CVE-2014-6271 Test Tool can help. Simply enter the URL or CGI script in the input fields and click on the blue buttons.
How To Mitigate Shellshock and Other Cyberattacks
Patching your applications is the key to protecting your systems from unauthorized accesses and security attacks like Shellshock. In a nutshell, the best way to protect against this vulnerability is to keep your system up to date by applying all the patches released for this exploit ever since it was discovered.
For successful mitigation of security attacks and vulnerability management, companies and individuals should focus on three key areas:
Instant detection of potential vulnerabilities: Instant detection and remediation of vulnerabilities can keep downtimes as low as possible in the face of an attack. A solid plan of action, continuous tracking of assets, and bringing everyone on board will all result in faster detection rates.
Also, investing in Software Composition Analysis (or SCA) tools can really help in finding vulnerabilities in open source codes that are everywhere.
Know your level of vulnerability: Every security vulnerability has a severity level attached to it and depending on your network setup, some vulnerabilities can be more critical than others. Knowing where you or your company stands in terms of risk tolerance is crucial in mitigating attacks like Shellshock.
Investing in a vulnerability scanner like Netsparker is a good idea for tackling and prioritizing these attacks. This scanner also provides the severity levels for all your detected vulnerabilities.
Balancing security operations with production: Maintaining a high level of security while keeping the employees productive is a balancing act for any organization. Successful companies keep a healthy balance between the two by crafting well-defined plans that address the need for security while also ensuring that everyone stays productive.
Don't Get Shocked by Shellshock
Shellshock is a largely obsolete attack but there is always a chance that it can reprise and inject in places where proper security hygiene is not practiced.
To avoid getting bogged down by the Shellshock or any cyberattack for that matter, make sure your Bash, computers, and mobile devices are always updated and proper security patches and vendor-specific updates are in place.