Somehow there always seems to be another Internet security disaster around the corner. A few months ago everyone was in a panic about Heartbleed.
Now the bug, Shellshock (officially CVE-2014-6271), a far more serious vulnerability, is running uncontrolled over the Internet. It’s never a good time to panic, but if you’re discouraged I don’t blame you; I know I am.
In retrospect, the grave concern over Heartbleed seems misplaced. As information disclosure bugs go it was a really bad one, but it was only an information disclosure bug and a difficult one to exploit. The sky’s the limit on attacks with Shellshock and it’s so easy to exploit that it’s already being widely-exploited according to research firm Fireeye, which says they have already observed several forms of attack:
• Malware droppers
• Reverse shells and backdoors
• Data exfiltration
• DDoS
Of course it’s not just Fireeye; everyone is reporting widespread sightings of exploits. See Kaspersky, Trend Micro, HP Security Research and many others.
Speaking of HP, their TippingPoint unit states that their network IPS has been updated to recognize known attacks using Shellshock. A vigorously updated IPS, deployed not just at the perimeter but also at critical points within the network, may be the only effective systemic protection you have against Shellshock for now. HP is not the only IPS around of course. And remember that an IPS is more of a protection against known exploits than against the vulnerability generally.
This particular bug has been in the Bash shell for over two decades. The implications of this are really bad. First, it means that an extremely important and popular program either went unscrutinized or poorly-scrutinized. Surely there are many other such problems out there. Don’t be surprised if several of them have been used carefully and surreptitiously for targeted attacks for years. In fact, don’t be surprised if Shellshock has been used in the past.
All sorts of horrible scenarios are possible with Shellshock. It’s not just limited to web server attacks. Fireeye shows how different Internet services, even DHCP and SSH, can be exploited to perform the attack, as long as Bash is the shell, and it usually is. They demonstrate automated click fraud, stealing the host password file, several DDOS attacks using the server and several ways to establish a shell on the server without any malware running on it.
For more information and the original article follow the source link below.
Source: ZD Net