A new bug, dubbed "Shellshock," came to light last
week. According to the U.S. Department of Homeland Security,
"[t]his vulnerability is classified by industry standards as
'High' impact with CVSS Impact Subscore 10 and
'Low' on complexity, which means it takes little skill to
perform." In other words, it is easy to use, yet capable of
devastating impact.
Originally assigned designation CVE-2014-6271, and then later
CVE-2014-7169, the critical vulnerability potentially enables
remote takeover of any Linux, Unix, or Mac OS X system, meaning
that the vulnerability may be exploited from outside company
networks by remote actors. This vulnerability is problematic for
two primary reasons: (i) the vulnerability itself is easy to use,
and (ii) susceptible operating systems are widespread. In practical
terms, Shellshock may affect more than half a million machines
worldwide.
A hacker who takes advantage of Shellshock could download and
install malware; delete, modify, or steal information; obtain
administrative access; and disable systems. Researchers are
suggesting that Shellshock is "wormable," meaning that a
hacker could load a self-replicating worm onto a few systems that
can replicate across the internet. Such worms could be used as a
payload delivery mechanism for installing malware and remote access
capabilities onto corporate web servers, enabling the hacker's
subsequent and unhindered access to corporate data.
Shellshock may affect network equipment and embedded devices such
as routers, firewalls, and wireless access points. It also affects
versions of vulnerable operating systems dating back at least 25
years. "Legacy" computer systems, which are often rarely
updated out of fear of harming the system, therefore may be
particularly vulnerable. Shellshock also affects every-day consumer
devices like home wireless routers, cell phones, and
"internet-of-things" devices that may not receive update
patches with sufficient frequency, if ever. And in some devices,
the vulnerable software is embedded in a manner that renders the
software incapable of receiving patches to eliminate the
vulnerability.
What to Do?
Companies can take certain technical steps to mitigate any related harm and potential liabilities. A patch has been released for many versions of Linux systems that addresses the vulnerability, and additional patches should be released in the coming days. The Linux patch is not perfect, but it does make exploiting the vulnerability more difficult. Alvarez & Marsal Global Forensic and Dispute Services, LLC, a leading global professional services firm, recommend the following:
- Companies should apply the Linux patch (or patches for other systems affected by this vulnerability) immediately and give priority to servers that are internet-facing and that accept input from remote users.
- For many companies, Shellshock will affect systems and network equipment provided by third parties. Contact the vendors of those systems and network equipment to determine whether or not the vulnerability affects such systems and network equipment.
- Many vulnerability and web application scanning vendors have released signatures to scan for and detect Shellshock on systems. Conduct in-depth scanning using such signatures in order to determine your level of risk exposure. Where the vulnerability exists and no patch is available, disable the affected service on the vulnerable system.
- Malicious actors are scanning for and exploiting Shellshock over the internet. Intrusion detection system ("IDS") vendors have released signatures to detect and even block exploitation attempts. Update your IDS signatures immediately in order to detect and respond to exploitation attempts.
Additionally, for companies that outsource the hosting or
operation of applications, IT assets or company data, we advise
that they confirm, in writing, with their service providers: (i)
that assets vulnerable to Shellshock have been identified; (ii)
that patches are being put in place in a timely manner; and (iii)
that other reasonable measures and controls, such as the IDS
scanning discussed above, are being followed and implemented to
detect unusual network activity or attacks.
Like the Backoff malware and Heartbleed bug before it, Shellshock
is another in a series of events that brings increased scrutiny to
corporate privacy and data security practices. In addition to the
recommendations outlined above, companies should reassess
enterprise-wide privacy and data security policies and procedures
to ensure that data are adequately protected and that privacy and
data security compliance obligations are met. Any such review
should be directed and supervised by legal counsel to ensure
appropriate consideration of all applicable legal obligations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.