The Bug
This week brings us another wide spread, critical vulnerability that required immediate attention. Perhaps even larger in scope than Heartbleed, Shellshock affects a very common open source program called “bash.”
Bash is a command shell commonly deployed on Linux, BSD, and Mac OS X. CVE–2014–7169 provides the details.
The tl:dr takeaway is this bug is widespread, has the potential to do significant damage, and requires little–to–no technical knowledge to exploit. Because LINUX powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT) the reach of this is very broad.
Also, because Bitcoin Core is controlled by BASH, this vulnerability can impact Bitcoin miners and other Bitcoin related systems, making them potentially a very attractive target to attackers.
We are already seeing attacks in the wild.
The Patch
Some LINUX distributions have released a patch that provides a partial solution to this bug. It is advisable to deploy these patches as quickly as possible and be prepared to deploy another patch once developers & researchers confirm a patch with complete coverage for this vulnerability.
Fixes for Android phones and other devices will have to come from the manufactures (if they come at all).
The Gap
There is always going to be a gap between the time that a patch is made available and the time in which you can ensure that it is successfully deployed across your environment.
This is where a compensating control comes into play. In this case, you should have an intrusion prevention system (IPS) or other network-based heuristic monitoring the network traffic to your instances.
Host-level protection can look at the network traffic coming to and from your instances and look for attempted attacks, blocking them before they can be executed and effectively virtually patching the servers.
In this case, the exploit is relatively simple to identify and an IPS should be able to prevent any attempted attack from ever reaching the vulnerable software.
What To Do
Our technical post does a great job of detailing some general steps everyone should take to respond to this issue as well as the specific steps that Trend Micro customers should take.
There is currently a patch available for most affected distributions that partially addresses the vulnerability. Work continues on a more complete solution.
This issue is urgent and should be addressed immediately. Fortunately, the response plan is very straight forward.
- If you’re an end-user, watch for patches for your Mac, your Android phone, other devices you may have.
- If you’re running LINUX systems, deploy BASH patches immediately.
- If you’re running LINUX/APACHE webservers using BASH scripts, consider retooling your scripts to use something other than BASH until a patch is available.
- If you’re the customer of a hosted service, get in touch with them to find out if they’re vulnerable and find out their remediation plans if they are.
Your next step to protect your servers should be:
- Make sure that you have an IPS deployed in front of any vulnerable servers and that IPS is enabled and actively blocking exploits for CVE–2014–7169. Deep Security is available in a fully functioning trial ( software or service —) that can immediately help customers.
- As patches become available, be sure to deploy them as quickly as possible to ensure layered coverage (in conjunction with your IPS).
- Continue to monitor the situation as it evolves.
For vulnerable desktops (such as Linux and Mac OS X):
- Temporarily switch your shell to one without this vulnerability. This vulnerability currently only exists in bash, other shells are unaffected. Here’s an how-to for Mac OS X .
- Once a patch is made available for your operating system, deploy it.