Sep 26, 2014

Shellshock: Uber-Threat Or Hype?

Shellshock is said to be the next big threat after Heartbleed - maybe even worse. What can happen in a worst-case scenario? I will dissect the real threat behind Shellshock in this post and tell you why you shouldn't go into panic mode just yet.

Is it bad?

Is it really that bad?
I don't think so.

What Is Shellshock?

The Bourne Again Shell (Bash) bug known as Shellshock allows code injection into environment variables of Bash. Bash is a popular shell used in most Unix, Linux and Mac systems. It is leveraged in a lot of services like SSH, VPN, DHCP or as a parser in CGI scripts. Basically Shellshock allows arbitrary command execution if the command injection is successful.

What Is The Impact?

There are many possible scenarios in which Shellshock could inflict harm. The RedHat blog has put them together succinctly here. In short: The impact can range from remote code execution (= hacker's I-Win-Button to take over your server if your server is vulnerable and runs CGI) to potential for more complex attacks (e.g. if a DHCP server is captured and is sending out malicious packets).

Economically speaking this means that a lot of servers will have to be checked for CGI vulnerabilities (which should have been done in the past anyways). The Bash bug ifself has to be fixed which will require some effort of course. Remember that this is all about a window of opportunity. The longer the patching takes, the more likely it is that the vulnerability gets exploited.

Why Is It Bad?

So why is Shellshock bad news? Aren't there exploits and vulnerabilities hitting the internet on a daily rate?
Sure they are but they rarely are so easy to exploit while having such a potentially big impact. All an attacker needs to cause the worst damage (remote code execution via CGI) is to find a machine running vulnerable CGI and a vulnerable version of Bash. Proof Of Concept code is already flowing around on the internet, ready to be customized and weaponized.

Another factor making Shellshock more dangerous than other, regular vulnerabilities is its dissemination. Most servers running Apache can also be assumed to run Linux meaning that most probably Bash is present. If you take a look at Netcraft's statistics of web servers on the internet, you'll see that half of the world's web servers are running Apache:

Patching is never good news for companies and patching is what is going to happen now.
What we also don't know is how long this vulnerability has been actively exploited before it was made public (i.e. how many people knew about the vulnerability for how long).

Other services are vulnerable as well but the CGI vector is the most critical. The other vectors are more difficult to exploit or less likely circumstances have to fall together to make the exploit work.

But Is It Really That Bad?

So we know that there is a huge potential attack surface for Shellshock due to the number of machines running Bash. But is it really that bad? Stepping back after all these worrying news and doing a rationale analysis shows us that the real threat is still big, but several conditions have to come together to allow this exploit to happen and there is a lot of quick wins we can get on the defensive side of things. Let's take a second look at Shellshock.

The worst-case scenario is remote code execution triggered via a vulnerable CGI script up to today. Newsflash: If you're exposing an unsecured CGI script, you're server is probably vulnerable to some kind of attack anyways. Even if it is not a remote execution vulnerability it is still a dangerous threat. If a hacker is able to exploit a common CGI vulnerability it often means underprivileged access to your server anyways. And then the privilege escalation fun begins.
CGI vulnerabilities have been around for a very long time, they actually have been one of the first vectors to be used for web attacks since CGI was one of the first technologies allowing web developers to do more than just modifying HTML and CSS. Shellshock might be a wake-up call for everyone operating CGI and not having spent enough attention to it in the past.

If you're following best practices for web security you'll most probably be safe anyways (at least against the CGI vector). Most web application vulnerability scanners cover CGI exploits. Yes, there are free and Open-Source scanners out there.

Furthermore, internet-wide scans are conducted already which should alert your IDS or at least drop an alert in your log files. You can even download the tool masscan and do your own scans (against your servers for example). The vulnerability is rather easy to detect. Online scanner tools are already coming up helping a great deal to identify if your machines are vulnerable.

Patching is a lot less painful than it was in the Heartbleed case for example. No certificates have to be swapped in the standard patching process. A reboot after patching might even not be necessary depending on your system, the environment and the complexity of your setup. New shells will be fixed after the patch is applied. However, re-forked shells may still be vulnerable due to some discussions currently going on.

In conclusion Shellshock is a serious threat to everyone who is running a vulnerable CGI setup (and potentially other services as well, as time will reveal). However, there is a lot we can do to detect and fix the vulnerability quickly before the damage happens.

In short (TL;DR):
Don't panic.
Check your system.
Patch your system.
Apply security best practices.


  1. This comment has been removed by a blog administrator.

  2. This comment has been removed by a blog administrator.