A few friends have suggested that considering the domain on which I host my blog, I ought to share my thoughts on “shellshock” – the catchy name that has been given to Bash shell vulnerabilities detailed in CVE-2014-6271, CVE-2014-6277, CVE-2014-7169 and friends
First of all I should state that as with any vulnerability, particularly one which has a potential remote vector, you should ensure your systems are patched – and keep eyes out for further patches coming down the line as the first few patches were only partial fixes as they were rushed out of the door.
However to read websites like BBC News, which have headlines like “‘Deadly serious’ new vulnerability found”, suggesting that half a billion computers could be affected, you would think the world was about to cave in.
In short it’s not. Its a serious vulnerability, but to my mind at least it’s not “a bigger deal than Heartbleed” as some researchers are saying.
Here is why:
A quick recap. The Heartbleed bug essentially rendered useless the encryption between end users and any website or VPN using OpenSSL derived encryption. This included Google, Amazon, Apple, Twitter, Facebook, Yahoo and tens of thousands of others. These are the websites which store personal data, emails, credit card numbers, payment history and other information for hundreds of millions of users. Users in WiFi hotspots around the world were at risk of compromise, as well as any GCHQ and NSA or other wiretaps that may exist.
The bash “shellshock” vulnerability has 4 main attack vectors:
- Internet server based remote attack
- Rogue DHCP server based attack
- SSH “Forced Command” environment escalation
- Local privilege escalation
Taking each in turn, I will explain them, and what the impact would be.
Internet Server based remote attack: This could be a web server using a “Common Gateway Interface” (CGI) to run scripts on a website, or could be a mail server running a spam checker. Additionally the default shell on the server would need to be “bash”. This is not the default for Solaris, BSD systems, nor Debian or Ubuntu Linux based systems. Additionally websites using CGI via libraries like FastCGI or executing scripts via mod_php/mod_wsgi are not vulnerable as environment variables are not passed through to the end scripts. Typical websites that would fit into this category would be web forums, and simple websites with an email submission form.
For a web server that is vulnerable, it is trivially easy to exploit it, and there are hundreds of thousands if not millions of websites which are vulnerable. However the vast majority of these will be low traffic websites. For example according to wikipedia there are only a handful of web forums which have more than a million users, of which only a few if any will have been vulnerable to “shellshock”. So the impact of any single website being exploited would be low to moderate.
Rogue DHCP server based attack: The DHCP client that is commonly used for automatic IP configuration on Linux based systems has proven vulnerable to shellshock, as it shells out to configure the network, it is possible for a rogue DHCP server to be used to gain remote root access to a client. An example of where this could happen is on an open WIFI hotspot – however as only Linux systems which have bash as their default shell are vulnerable, only a small fraction of users would be at risk – i.e. OSX, Windows, and Debian/Ubuntu users would all be safe in this case.
It could also happen in a data centre, if shared networks were not properly segregated between customers, however the impact of such an exploit would be limited to that network, and the source could be relatively easily traced, this meaning the significance of this is also low.
SSH “Forced Command” environment escalation and Local Privilege Escalation: Whilst there are differences, the net result of both of these vectors is an authorised user obtaining additional privileges to those they have been granted. These are serious as they could result in data breaches, however as they require a user to have access in the first place, they are not of the same severity as one which can be exploited remotely.
In summary: whilst the “shellshock” vulnerability provides a trivial method to exploit a vulnerable web server, the impact of any vulnerability is not high as few websites still using CGI scripts in a vulnerable manner will have significant traffic. The other attack vectors are interesting, but do not place large parts of the internet at significant risk.
However the more serious concern is the hundreds of other exploits which do not hit the spot light in the media, as these are less likely to be patched so quickly. Examples include recent exploits in tomcat and apache httpd which like “shellshock” allow arbitrary code to be executed on remote systems, and are more likely to be in use at large web sites.
I think there needs to be a balance found between raising awareness of serious issues, and overhyping an issue. Some of the claims made for the “shellshock” exploit definitely fall into the sensationalist, overhype book for me.