How can you deal with Shellshock?

27 September 2014


James Rashleigh’s profile on LinkedIn

The vulnerability, known as “Shellshock,” takes advantage of a bug discovered within the GNU Bourne-Again Shell (BASH) which allows malicious users to remotely execute commands, regardless of restrictions placed on the environment. This vulnerability could be leveraged to take full control of the system, obtain sensitive information, or extend access to other connected systems within the same network. Exploits have been made publically available, and it has been reported that ShellShock is being actively exploited by malicious users.

Interim fixes (patches) have been released for the vulnerability but some have been reported as incomplete. In addition to patching affected systems, increase the attention given to monitoring processes to detect unauthorized access and suspicious activity within the environment. Updating intrusion detection and scanning signatures may provide interim vision across the organization of potentially affected systems and devices.

What is the issue?

A previously undetected, critical bug within the GNU Bourne-Again Shell (BASH), a command-line shell installed by default and ubiquitously used on most Unix-based systems, such as Linux and Mac OSX, was reported on 24th September, 2014. BASH is typically used for administration of systems. This bug allows for unauthorized use of the affected software to remotely execute arbitrary commands on vulnerable systems.

 It is reported that the exploit allows malicious users to append executable commands to vulnerable parameters. The vulnerability (CVE-2014-6271) is currently known to affect BASH version 1.14 up through 4.3, with other versions being investigated at the time of the writing of this brief. The first set of patches has been released by software vendors; however, indications are that these patches do not provide complete protection against the vulnerability.

What is the potential impact?

The full impact of this vulnerability is still being investigated; it appears that Internet-accessible systems, such as web servers, e-mail servers or DNS servers, which use BASH to connect to the underlying operating system, could be affected. BASH is found primarily on Unix-based systems, but organizations that use Windows-based systems may still be vulnerable, as they are likely leveraging appliances that are vulnerable. BASH can also be found on embedded systems, home routers and many “Internet-of-things” devices.

This vulnerability allows malicious users on the Internet to remotely execute commands of their choice by sending malicious commands to an Internet-connected system. Execution of such code could allow malicious users to launch programs on the system, make outbound connections to attacker-chosen systems, or execute malicious software. Malicious users could also leverage this vulnerability to steal sensitive information, such as authentication credentials, credit card details or any other sensitive information that may be stored on the system.

What actions should be considered?

This is a complex security and technology issue. There is no single quick or easy fix.  All indications are that malicious users are actively looking to exploit the vulnerability so increased vigilance should be considered.  As organizations assess the impact of this vulnerability below are tactical (short term) and strategic (mid to long term) actions to be considered. 

 Tactical - Short term considerations

  • Engage information security to determine vulnerable systems or devices including servers, networking, monitoring and security systems. Also review HVAC, ICS & phone systems to make sure they are not vulnerable.
    • Many vendors have released patches to partially address the vulnerability in affected versions of their software. These should be applied to your environment as quickly as possible. 
    • Internet accessible systems and other sensitive internal systems exposed by this vulnerability should be assessed for indicators of compromise. 
    • Review and monitor application and network logs for abnormal activity. Ensure systems are only communicating to trusted sources and new user accounts have not been created.
    • Monitor social media, security forums, data repositories, and other sources of security intelligence for indications of breaches.
    • Educate and provide guidance to client facing employees, as the vulnerability gains media attention, they may be asked by clients if the organization is vulnerable.
    • Take proactive steps to decide what actions you will recommend to your own customers and other end users take to protect themselves.
    • Leverage employee awareness programs to increase attention and focus as adversaries are known to utilize traditional attack techniques (e.g. phishing campaigns) when new vulnerabilities are being addressed.

Strategic - Medium / Long Term Considerations

  • Assess the cybersecurity strategy and program in order to identify opportunities for improving processes, capabilities and technologies used to protect the organization and detect vulnerabilities such as Shellshock.
  • Decrease Internet exposure for all systems and devices through the use of network segmentation, demilitarized zones and perimeter firewalls.
  • Review your IT function’s change and patch management processes to ensure timely patches are applied to all IT systems.
  • Employ a defense in depth strategy with multiple layers of security controls and monitoring.
  • Develop risk intelligence by making use of processes and information sources to provide early warning of current and future vulnerabilities.
  • Develop and continuously maintain an up-to-date data classification and system inventory, to provide visibility to the location of sensitive data within the environment.

 Further Reading

Please read PwC’s Shellshock Tactical Intelligence Bulletin for some useful tactical recommendations and guidance to minimize your exposure to Shellshock. Download PwC_Shellshock_Tactical_Intelligence_Bulletin

Contact Details

James Rashleigh: + 44 (0) 207 212 2060,  [email protected]

Kris McConkey: +44 (0)20 7804 2471, [email protected]

Stewart Room: +44 (0) 20 7213 4306, [email protected]