Sunday, September 28, 2014

A Shell of a Bash: Shellshock in Lay Terms

A few days ago, researchers revealed a software vulnerability that quickly became known as "shellshock." It's a bug - an error in the software code - in a core piece of many Unix operating system flavors, and it can be used by an attacker to gain control of Unix computers. You don't use Unix, you say? I'll bet you do: a great many Internet-connected devices run on Unix because it can run on a minimal computer.

For those of us that make a living in the security field, it has been a pretty exciting week. Bash (the vulnerable shell program) is everywhere. Not everywhere everywhere, but it turns up in many unexpected places. Think robotic toys, DVRs, wireless routers, smart televisions, enterprise web servers, cloud storage servers, printers, network equipment, the list goes on.

The nature of the bug is such that it can be used to craft a "worm." In other words, it can be used to take control of one computer, which can in turn find and take control of additional computers. Think back to the Code Red worm of 2001 - in a matter of hours it compromised millions of Windows servers and desktop PCs around the world, bringing the Internet to its figurative knees. Shellshock has the potential to be used similarly.

See my earlier post for more on the technical details of this vulnerability.
However, it's not the end of the world. Unlike Code Red, the shellshock vulnerability does not affect Windows computers. That's small consolation since Unix is far more common in embedded Internet devices such as phones, TVs, toys, video players, DVRs, routers, and such. More to the point though, shellshock in most cases cannot be exploited simply by searching for a vulnerable neighbor. Exploiting this bug means an attacker (or an attacking worm) has to either know a specific vulnerable file to attack, or has to try a huge number of possibilities.

Large enterprises have been scrambling since Wednesday to understand what this vulnerability means, where they are exposed, and how to minimize the risk. For businesses, this truly is a serious problem, and will prove to be a very costly problem in terms of IT time spent. Large businesses run many types of computers and network equipment that are vulnerable. For most home users though, it's probably not what the media is making it out to be. When Code Red attacked Windows computers, the damage was significant. If your primary computer is compromised, it hurts: we rely on our computers for everything. Frequently, an infected computer cannot be reliably "cleaned" without completely reinstalling the software. If your Blu-Ray player is compromised though, so what? Unplug it, plug it back in, and chances are the malware is gone.

That's not to say nothing bad can come of this. Any compromised device can be used as a "pivot" point, an entrance into the home from which to launch further attacks. Network-manageable devices could certainly be abused or even destroyed (similar to how the Stuxnet worm destroyed network-managed centrifuges used in Iranian nuclear operations a few years ago). As an avenue for a determined adversary attacking a targeted victim, the bash shell vulnerability is a pretty useful tool - but most of us don't face such adversaries. In the grand scheme of things, the likelihood of bad things occurring in your home as a result of this vulnerability is relatively low compared to the media attention, and compared to the very real threat to enterprise web servers.

There are a couple of situations though that warrant extra attention.

1. Devices connected directly to the Internet are at greatest risk. That means your router or wireless access point is the first target. Make sure it is secured - and specifically, make sure it does not allow management access from the Internet (often labeled the "WAN Port"). Once that is done, check with your router manufacturer to find out if your model is at risk. If it is, follow the manufacturer's recommendations (which alas may take some time to appear ... manufacturer's product security teams need time to figure out what is affected and how to fix it).


2. Devices that can travel outside your home network are next in line in terms of risk. Several DHCP clients are known to be vulnerable, and could be compromised by a malicious DHCP server. This could occur in a hotel, or coffee shop, or McDonald's - anywhere an attacker could set up a fake wireless access hotspot. This specifically affects Unix (including Linux, and under certain scenarios, Mac OS X). If your computing device runs Linux, chances are you are something of a "techno-geek" and already take extra precautions. Nonetheless, check for kernel updates specific to your Unix variation.

3. Networked file storage devices (sometimes known as "NAS," or Network Attached Storage") almost certainly run on Unix. I'm not talking about external USB drives - they don't have their own operating system but rather piggy-back on the computer they are connected to. But of your hard drive stands on its own, with only an Ethernet connection (such as the
Seagate GoFlex Home drive I wrote about in a previous project), it may very well be at risk. I would not worry so much about sensitive data being stolen: if someone gets into your network and has access to the drive, they can steal data even without this bug. However, through this bug it may be possible to delete valuable data (say, irreplaceable photos. You do have backups, right?). If you have such a device, check with the manufacturer to find out if it is at risk, and their recommendations for protecting yourself. October 2 update: ...and right on cue, evidence that malicious hackers are specifically targeting NAS devices.

4. Networked video cameras and audio systems (for instance, baby monitors or "nanny cams") are a particular area of concern for the privacy-minded. In the last year there have been a couple of news stories about home monitoring cameras being compromised such that a virtual peeping tom could watch the goings on within a home. Since most such devices run Unix, it is quite likely many are vulnerable to this bug. Again, check with the manufacturer to find out if it is at risk, and their recommendations for protecting yourself.

5. Thus far - and I emphasize thus far, Apple iOS (iPhones, iPads, iPods) has not proven at risk. iOS is based on Linux, but so far I have not heard of (nor been able myself to create) a successful attack against a stock iOS device. That said, keep an eye on the news (including this blog) and pay attention to anything Apple says publicly.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.