Below is a link on github wherein the Bash Shellshock vulnerability is being discussed:
https://gist.github.com/anonymous/929d622f3b36b00c0be1
For the non-technical, what is being shown by posters is that the now termed Shellshock vulnerability is now being used. Attempts to use the vulnerability are being captured in log files - particularly note the UserAgent notes in the log files as they illustrate the attempt to use the vulnerability.
What is particularly alarming is just how easily this vulnerability can be used and also what appears to be an attempt in the log files to search for vulnerable machines. The "grep" command on Linux is an advanced and complex search command that can be used to execute very specific searches. Note the comments in the link where grep is mentioned. A list of websites with the vulnerability would be valuable indeed. However, so would a list that contains any type of machine with the vulnerability.
This vulnerability affects much more than just websites - MythTV boxes and other entertainment boxes running Linux (Boxee? TiVo?) could also be affected. It could even affect security cameras or for that matter any device that has an available Bash shell.
This is a particularly scary vulnerability because of its ease of use and power. Using the Shellshock vulnerability, it is possible to obtain files that were supposed to be limited to root access. In other words "Got Root?" isn't a question - it's an assumption.
Oh and by the way, Mac OSX systems are also affected since they also have Bash available.
Imagine a SCADA running Unix at a steel mill and it is connected to the Internet for customer convenience. Naturally, there is security in place to prevent anyone except customers from accessing the SCADA webpage data. However, with the latest Bash vulnerability anyone that can type a simple script can access that SCADA. Who cares you may ask? Its just production data. Why would anyone want it?
The problem, in this case isn't that data may be copied, as in credit card numbers theft. The problem is what could be done if someone on an outside connection can control that machine?
Of course the attacker would need to be running the actual SCADA software to interact with equipment, or would he? Could he just directly access the database that the SCADA uses to keep track of and issue equipment commands? Could he access the database and change the product recipe?
But who cares about a steel mill right? Well the issue is that Unix and Linux based SCADA are used in a wide range of industries from power generation, oil production, transportation, semiconductor fabs, and utilities. All it takes is one machine connected to another machine connected to the Internet and the scenario depicted above can become very real.
There's no need to panic - yet unless you happen to be in IT and manage systems that run Unix, Linux, or Mac OSX. On the other hand, security research Bruce Schneier is calling the flaw "catastrophic."
If important systems, besides just commerce and finance, do not get patched before a Shellshock worm is released, we could have serious problems that would make the finger vulnerability, the Morris worm, Heartbleed, and the Code Red virus, seem almost innocuous in comparison.
No comments:
Post a Comment