On Thursday, security experts discovered a bug in Bashwhich has been named “Shellshockthat could be used to compromise systems that utilize the Bash shell. The bug dates back to Version 1.13. Bourne-Again Shell, or Bash, is software that is built into nearly 70 percent of machines connected to the Internet. Bash has been widely used for the GNU operating system, as well as a default shell on Linux since 1989. It is also extensively used as the GNU shell for Mac OS X.

Simply, Bash is a text-based command processor that allows users to execute commands that result in an expected outcome or action. However, these commands may also be executed via a script file instead of from human input.

What is Shellshock?

The Shellshock exploit is exceptionally malicious because Bash is ubiquitous on *Nix environments (e.g., UNIX, Linux and Mac OS) and even some Microsoft® Windows® environments, depending on how they are implemented. Because the base attack has almost no complexity, it is easy to execute and available to anyone. It is likely that exploits that chain malicious commands will appear soon.

The Shellshock vulnerability also has the potential to persist for a long time. Heartbleed still affects many Web servers because some servers have yet to be — and perhaps never will be — patched by their administrators. Bash is so ubiquitous (much more so than Web servers using OpenSSL) that it is easy to foresee this bug affecting systems for an extended period of time.

Can Shellshock Be Patched or Corrected?

The positive takeaway is that this bug is definitely possible to mitigate. There are already sound technical resources on how to patch and protect against this threat. A vigilant enterprise is likely already in the process of patching this exploit. However, there are tens of thousands of Web servers on the Internet that do not have a vigilant, security-minded team of administrators. These groups could suffer a devastating blow from Shellshock bug ramifications.

Does Shellshock Affect Hosted Entrust Services?

No, it does not. All hosted Entrust service platforms and locations are fully patched.

How Does Shellshock Affect Identity-Based Security?

While more exploits will undoubtedly be exposed, there is a potential attack against single-factor credentials that is almost trivial. It has been common practice to hard-code database usernames/passwords into Web Server CGI scripts that access a database.

Technically, these scripts should never be available to the public, so Web programmers quite often feel comfortable hard-coding usernames/passwords into them. Throughout the history of the Internet, this has been common practice — even if not necessarily the best practice.

Due to this bug, it is potentially trivial to maliciously read the contexts of these script files containing important username/passwords used to access Web databases. An attacker might retrieve them to continue to perform database dumps, or chain together an attack necessary to exfiltrate data via protocols, such as FTP or other means.

Why is the Shellshock Vulnerability So Significant?

This vulnerability has been around a very long time. It was discovered by a researcher who disclosed it, but it does not necessarily mean that others have not used it previously for malicious purposes. It only means that we now have the information necessary to patch and react. Taking down services and cordoning Web servers may be necessary in the short term.

In the longer term, the Shellshock vulnerability highlights the need to move away from single-factor credentials. We all are familiar with the daily routine of entering usernames/passwords into online resources for authenticated access, but few think about the myriad of services behind the Web page façades that we interact with every day. Most of these are accessed with single-factor credentials that will be at risk.

Important database credentials are inevitably going to be stolen in enterprises that cannot react fast enough. These stolen credentials, in turn, are going to be leveraged to steal important data, such as other lists of usernames/passwords that are often stored in Web server databases.

The large username/password list breaches in the past are only the beginning to the danger posed by this threat. Single-factor credential lists obtained through malicious means have the potential to be more common than ever.

Jason Soroko

Jason Soroko
Soroko has spent 17 years in systems architecture and development roles in diverse industries with an emphasis on security. As the threat landscape becomes more advanced, the need for Entrust to understand evolving threats requires deep and dedicated thinking in security concepts. Soroko's thought-leadership in security is rooted in connecting the threat perspective to how systems work as a whole. He frequents security conferences and publishes on important security topics.