United States: Shellshock, The Perfect 10 Exploit: Easy To Use, Devastating Impact

A new bug, dubbed "Shellshock," came to light last week. According to the U.S. Department of Homeland Security, "[t]his vulnerability is classified by industry standards as 'High' impact with CVSS Impact Subscore 10 and 'Low' on complexity, which means it takes little skill to perform." In other words, it is easy to use, yet capable of devastating impact.

Originally assigned designation CVE-2014-6271, and then later CVE-2014-7169, the critical vulnerability potentially enables remote takeover of any Linux, Unix, or Mac OS X system, meaning that the vulnerability may be exploited from outside company networks by remote actors. This vulnerability is problematic for two primary reasons: (i) the vulnerability itself is easy to use, and (ii) susceptible operating systems are widespread. In practical terms, Shellshock may affect more than half a million machines worldwide.

A hacker who takes advantage of Shellshock could download and install malware; delete, modify, or steal information; obtain administrative access; and disable systems. Researchers are suggesting that Shellshock is "wormable," meaning that a hacker could load a self-replicating worm onto a few systems that can replicate across the internet. Such worms could be used as a payload delivery mechanism for installing malware and remote access capabilities onto corporate web servers, enabling the hacker's subsequent and unhindered access to corporate data.

Shellshock may affect network equipment and embedded devices such as routers, firewalls, and wireless access points. It also affects versions of vulnerable operating systems dating back at least 25 years. "Legacy" computer systems, which are often rarely updated out of fear of harming the system, therefore may be particularly vulnerable. Shellshock also affects every-day consumer devices like home wireless routers, cell phones, and "internet-of-things" devices that may not receive update patches with sufficient frequency, if ever. And in some devices, the vulnerable software is embedded in a manner that renders the software incapable of receiving patches to eliminate the vulnerability.

What to Do?

Companies can take certain technical steps to mitigate any related harm and potential liabilities. A patch has been released for many versions of Linux systems that addresses the vulnerability, and additional patches should be released in the coming days. The Linux patch is not perfect, but it does make exploiting the vulnerability more difficult. Alvarez & Marsal Global Forensic and Dispute Services, LLC, a leading global professional services firm, recommend the following:

• Companies should apply the Linux patch (or patches for other systems affected by this vulnerability) immediately and give priority to servers that are internet-facing and that accept input from remote users.
• For many companies, Shellshock will affect systems and network equipment provided by third parties. Contact the vendors of those systems and network equipment to determine whether or not the vulnerability affects such systems and network equipment.
• Many vulnerability and web application scanning vendors have released signatures to scan for and detect Shellshock on systems. Conduct in-depth scanning using such signatures in order to determine your level of risk exposure. Where the vulnerability exists and no patch is available, disable the affected service on the vulnerable system.
• Malicious actors are scanning for and exploiting Shellshock over the internet. Intrusion detection system ("IDS") vendors have released signatures to detect and even block exploitation attempts. Update your IDS signatures immediately in order to detect and respond to exploitation attempts.

Additionally, for companies that outsource the hosting or operation of applications, IT assets or company data, we advise that they confirm, in writing, with their service providers: (i) that assets vulnerable to Shellshock have been identified; (ii) that patches are being put in place in a timely manner; and (iii) that other reasonable measures and controls, such as the IDS scanning discussed above, are being followed and implemented to detect unusual network activity or attacks.

Like the Backoff malware and Heartbleed bug before it, Shellshock is another in a series of events that brings increased scrutiny to corporate privacy and data security practices. In addition to the recommendations outlined above, companies should reassess enterprise-wide privacy and data security policies and procedures to ensure that data are adequately protected and that privacy and data security compliance obligations are met. Any such review should be directed and supervised by legal counsel to ensure appropriate consideration of all applicable legal obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.