Shellshock Software Bug Leaves Millions of Linux and Mac Computers Vulnerable

Last month, the U.S. Department of Homeland Security cybersecurity team issued a warning against the Shellshock bug, a high risk software vulnerability that could affect millions of Linux and Mac computers.

What exactly is Shellshock?

Bourne Again Shell, or Bash, is a piece of software in the Unix and Apple (OS X) operating systems, the part of the operating system that receives and executes operating system commands. Shellshock, otherwise known as Bashdoor, is a flaw in Bash. The hole in Bash could allow attackers to access and gain control of the operating system and perform malicious activities such as denial-of-service (DDoS) attacks or inserting code into a user’s computer and running commands to access and control a computer remotely. This is important because critical and confidential information could be exposed and manipulated or even deleted.  

Even though this bug was recently discovered, experts agree that it’s likely the vulnerability has existed for several decades. Due to the duration of time this bug has been in existence, exposure is most likely extremely high, impacting a large number of users for those running Apple and Linux OS. Many other devices besides servers and computers may be impacted as well, such as home routers and webcams. For this reason and many others, NIST (the National Institute of Standards and Technology) has warned that this vulnerably is rated as high as it gets, a 10 out of 10 in terms of its severity, impact and ability to be exploited, but it is rated low in terms of complexity. 

What should you do?

In-house information technology departments or service providers should be taking appropriate action to mitigate this risk as a high priority, and third-party service providers should be evaluated in the same manner. Companies need to be asking the pertinent questions of providers as they are asking of themselves: Are they vulnerable? What steps are they taking to protect themselves and mitigate risks? Are they performing the due diligence necessary to protect themselves and their customers? 

Output of risk assessments and monitoring to detect and prevent unauthorized access should be continuously scrutinized to identify any abnormalities. If these basic detection and prevention controls are not in place, they should be implemented immediately. Seeking the expert advice of a third party could also help supplement internal IT departments where resources are spread thin. To determine if a computer is vulnerable, the user should run the command: $ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”. If the output returns ‘vulnerable this is a test,’ then the machine is at risk.

Other risk mitigation steps that should be taken include but are not limited to:

• Running periodic vulnerability scans of all systems
• Identifying vulnerable internal systems and services and remediating those vulnerabilities appropriately and timely
• Following appropriate patch management practices
• When applicable, ensuring that third-party service providers take appropriate risk mitigation steps and then monitoring the status of the vendors’ efforts
• For Android users, checking to see if devices are vulnerable
• Auditing the list of remote network services running (data classification)

For a discussion specific to your organization, please contact Brian Thomas, partner in IT Advisory Services.

© Copyright 2014 Weaver and Tidwell, L.L.P.