Skip to content

Shellshock bug is another blow to open source

September 29, 2014
Tux, the Linux mascot reportedly suffering from PTSD (Penguin Traumatic Stress Disorder).

Linux mascot Tux is suffering from PTSD (Penguin Traumatic Stress Disorder).

The latest major operating system bug to be found this year again strikes at the heart of open source software.

Malicious hackers will likely use this bug to target not people’s personal computer devices but rather things like routers and web servers in order to launch ever-larger dedicated denial of denial of service attacks against targets on the Internet such as yesterday’s (September 28) DDoS attack against the new social media service Ello.

The so-called shellshock bug was first announced September 24 by Redhat Linux as CVE-2014-6271, a Bash code injection vulnerability.

This is a serious code flaw in a 25-year-old text-only command interpreter called the Bash shell that is still commonly used by the UNIX-like operating systems Linux and BSD. It allows unauthorized commands to executed remotely.

The most important thing to say about the Shellshock bug is that it is a problem for web sites and servers on the Internet and not for desktop computers or (for the most part) tablets or mobile phones.

Shellshock allows hackers to move the goalposts

At login the Bash shell looks to stored information, called environment variables, to determine (among other things) where the home directory is, where the incoming and outgoing mail goes and where applications and user settings should be kept.

The code flaw allows the Bash shell to accept and run all sorts of commands posing as environmental variables.

An easy fix where it’s easy to fix

Linux and BSD distributions have rushed to patch any Bash vulnerability they have. Despite switching to a newer shell in 2006, both Debian Linux  and Ubuntu have had to release multiple patches for what they call CVE-2014-6271.

Apple says OSX isn’t vulnerable to Shellshock. Though the OSX operating system is built on top of BSD and includes Bash along with other UNIX services, Apple says Bash isn’t active by default. And any users knowledgeable enough to have turned it on are likewise knowledgeable enough to turn it off until Apple releases a patch. Or these sort of geeky users could go ahead and patch it themselves.

Experts have been quick to say that neither Apple’s iOS or Google’s Linux-based Android operating system is at risk from Shellshock because neither runs the Bash shell out of the box. However jailbroken and rooted devices do appear to be at risk.

The security company Fortinet, among others, has found that the process of jailbreaking iOS and rooting Android devices, in either case, led to the installation of Bash shell package. And the company’s tests showed that the phones were then susceptible to the injection of false variables.

I would’ve expected that Cydia and Cyanogen, the main packages used by people to take control of their mobile iOS and Android devices, would have issued patches by now but I can’t find them.

The point is the Shellshock bug can be patched — but only on devices that can be patched.

The Internet of (unsafe) things

The real risks posed by the flaw are expected to come from routers and other Internet-enabled “appliances” — the so-called Internet of Things.

The Internet of Things is a buzzword fuzzy with overuse but I mean it to refer to devices that purposely connect to the Internet but that people can’t directly use to surf the web; devices like printers and cameras and routers and radios and home environmental controls and maybe hydro meters.

The growing list of such devices share certain qualities:

  • The last thing any of these devices looks like are computers.
  • They’re almost always “headless”, meaning no standalone access to their operating system.
  • Their operating systems are virtually always a version of Linux.
  • The operating systems are usually embedded and often unmodifiable.
  • The very often have little or no built-in security.

We’re talking about devices that often were designed to run with no human interaction and were never meant to be updated. Perhaps their firmware can be re-flashed, perhaps not.

In addition to millions of devices like routers, there are the huge number of potentially vulnerable Internet computer servers which run a UNIX-flavour operating system. Many of these servers are running very old ‘NIX operating systems that are poorly maintained to boot.

The monkeys have a new stick

The proof-of-concept revealing the bug appeared on Wednesday, September 24 and by the next day hackers were already exploiting it.

Wired magazine detailed on September 25 how hackers were already exploiting the Shellshock bug to use HTTP request to take control of vulnerable Web servers in order to use them as weapons in a large distributed denial of service attack. The same day Reuters reported a worm had begun infecting computers by exploiting the Shellshock bug.

Whether these were reports of the same attack or two different ones isn’t clear.

Clearly though, this is another tool in the malicious hacker’s toolbox — a very easy-to-use-tool — which is going to be around for a long time. And there’s not much we can do about it.

Please don’t bring your teachers any more Apples!

This has been a quite a year for computer bugs. Some have been garden-variety and some have been the digital equivalent of the nasty kinds you find in hospitals:

It was nice to get a bit of a summer break but the Shellshock bug means that the security experts and bad hackers are back to continue teaching us just how fundamentally unsafe the Internet has become. Click the image to enlarge it.

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: