[Trend Micro Media Alert] Shellshock emerges in the wild, possibly larger than Heartbleed

Just several hours after the news of Shellshock (covered under CVE-2014-7169) breaking out; it was reportedly being exploited in the wild already. Possibly even larger in scope than Heartbleed, the severity of this vulnerability is serious given that web servers are mostly affected. It also poses risks to Internet of Everything/Internet of Things devices that have Linux (and Bash) on them.  It was also reported that it affects Bitcoin/Bitcoin mining, thus attackers may possibly/potentially create armies of bots via this.

Shellshock affects a very common open source program called “bash”, a command shell commonly deployed on Linux, BSD, and Mac OS X. Bash, an acronym for Bourne Again Shell, is a command-line shell that lets users issue commands to launch programs and features within software by typing in text. It’s typically used by programmers and shouldn’t be open to the wider world, though Shellshock changes that.

This new vulnerability can allow execution of arbitrary code thus compromising the security of systems. Some of the possible scenarios that attackers can do range from changing the contents of web server and website code, to defacing the website, and even stealing user data from databases among others.

Trend Micro has spotted samples which are the payload of the actual exploit code. Detected as ELF_BASHLITE.A (also known as ELF_FLOODER.W), this malware is capable of launching distributed denial-of-service (DDoS) attacks. It also has the capability to do brute force login, enabling attackers to possibly get the list of login usernames and passwords.

Given the fact that bash environment is used in several configurations including CGI, ssh, rsh, rlogin etc., all those services can be affected by this bug. Any web servers which consume user input and absorb them into bash environment are also vulnerable. Web applications are the biggest exposure layer for this vulnerability. However, this can manifest itself via several other services as noted above.

As there is always going to be a gap between the time that a patch is made available and the time in which you can ensure that it is successfully deployed across your environment, enterprises should have an intrusion prevention system (IPS) or other network-based heuristic monitoring the network traffic to your instances. Host-level protection can look at the network traffic coming to and from any instances and look for attempted attacks, blocking them before they can be executed and effectively virtually patching the servers. In this case, the exploit is relatively simple to identify and an IPS should be able to prevent any attempted attack from ever reaching the vulnerable software.

This issue is urgent and should be addressed immediately. Fortunately, the response plan is very straight forward.

For enterprises, your next step to protect your servers should be:

Make sure that you have an IPS deployed in front of any vulnerable servers and that IPS is enabled and actively blocking exploits for CVE–2014–7169. Deep Security is available in a fully functioning trial (software or service—) that can immediately help customers.

As patches become available, be sure to deploy them as quickly as possible to ensure layered coverage (in conjunction with your IPS).

Continue to monitor the situation as it evolves.

For vulnerable desktops (such as Linux and Mac OS X):

More information on Shellshock, can be found on the Trend Micro Security Intelligence Blog.