Bigger Than Heartbleed Shellshock Bug Puts Unix Systems At Risk

Bigger than Heartbleed? Shellshock Bug Puts UNIX Systems at Risk

Arraya Insights | September 30, 2014

Is it time for Heartbleed to step aside? There’s a new bug in town and it’s monopolized the tech world’s focus as of late. But is it all it’s cracked up to be?

Shellshock has been making headlines, some of which have touted it as being bigger and badder than the Heartbleed flaw that came to light this past spring. Plenty of companies are still working to defend themselves against Heartbleed, so this news isn’t exactly music to IT’s ears.

The Shellshock bug is a vulnerability in Bash, a command shell used in many Linux and UNIX operating systems, as well as Apple’s Mac OS X. Under a certain set of circumstances, attackers might be able to assign their own variables to a command shell, getting it to execute their commands and giving them the ability to run malware, access personal information, etc.

It seems that Shellshock presents a dangerous mix of a severe problem that could also be relatively easy for hackers to utilize, according to the National Vulnerability Database. It’s given the vulnerability a 10 out of 10 in both exploitability and impact.

There’s also some indication that the Shellshock bug has existed for years, potentially even decades. That kind of longevity makes it likely security pros won’t be able to track down and cover every single vulnerability.

Believe the hype?

Even though the problem has a fairly wide scope and has an impressive lifespan, things might not be as dire as first thought. For one thing, just running Bash doesn’t automatically make you vulnerable. A specific set of factors needs to be in place in order for Bash to be remotely accessed.

And hackers may need to take a slightly different course of action to access vulnerable code depending on the device they’re attempting to take over. So even though the bug may be easy to exploit on a one-off basis, exploiting it on a widespread scale might not be such a walk in the park.

Meanwhile, Apple has said the vast majority of people using its software should be in the clear. Only users who’ve configured their machines for advanced UNIX services could be vulnerable, and Apple recently released a patch for those users.

Keeping your systems secure

Other software updates have been released, but there is some question as to whether they’ve fully addressed the problem. Still, for IT pros whose systems might be exposed, the best defense right now is to make sure you’re company’s machines are running the latest version of Bash that’s available.

It’s a good idea to begin to inventory your systems that run Linux or UNIX to see which ones have Bash installed and therefore could be at risk. Be sure to keep your eyes peeled for embedded systems running Bash, i.e., load balancers, which can sometimes fly under the radar.

There’s also another weak spot that needs to be addressed: end-users. Whenever a story like this breaks, it can bring with it a number of phishing attempts as hackers try to exploit people’s fears and bait them into clicking on malicious links. So it couldn’t hurt to remind everyone of the usual security best practices, that way IT teams don’t end up with a whole new problem to worry about. 

Arraya Solutions partners with leading security firm, BTB Security. In response to Shellshock, they’ve offered to perform remote scans to ID systems and services for vulnerabilities at no cost. This can give IT teams some assurance they aren’t leaving missing any critical exposures.

To take advantage of this offer, reach out to your Arraya Account Manager today or email us here.