Who should be most worried about "Shellshock," the Unix/Linux vulnerability?

See hed, decent cite here, for example. Or as asked this report, in fine journalistic style, is another way I could have written the hed: Could hackers cause Internet MELTDOWN?

[It’s being called an exploit, which I think is a made-up word for a bug that can be exploited. So who alerted the world, and the bad guys, if there is this hole to be filled? Otherwise, as of now, there is no malware called “Shellshock,” right?]

What would be the first to go, based on past performance of bad guys given the level of skill to exploit this, that is, can every Tom Dick and Harry hacker or is it “government level?”

Credit card theft? Denial of Service (ie, Things Break Down, as far as the end user consumer is concerned)? Missiles will be launched oddly, physics simulations will be off by 1, cats sleeping with dogs? My Mac will get whacked too?

Mac OSX users without IPS protection. Linux users. Until Apple releases a patch to the OS if you are using OSX, you should get good internet security software. Or stay offline.

I’ll be back in a bit with details on what it could expose you to. Good news that not much has found yet. Bad news is that it’s serious.

From what I’ve read, I think you’re going too far. You have to have some type of service that is open to the Internet for someone to be able to connect and exploit this. I would guess that most normal users don’t have this. Most routers have built in Firewalls and require you to port forward. As long as you don’t download any new programs that could act as a backdoor, it seems like you should be fine.

It’s the large number of servers running some *nix variant that need to be worried. You need to be worried about those sites being compromised, not your own computer. And that applies to Windows users, too.

Of course, I’m just now being made aware of this. Maybe I’ve missed something. But just the general nature makes it seem like it would be hard to exploit for regular users. It’s mostly being compared to Heartbleed.

The skies darkened and rained blood for three days and three nights with Heartbleed, and the Internet collapsed.

Or maybe not.
This is much of the same, just like every other part of life, people like to get over-excited — ‘I want to make your flesh creep’ — and journalists more than any other, since that’s how they make their income. I have had two patches for Bash already, and I barely use it anyway. Server admins will have already applied any patches issued, and if they haven’t no really bad stuff will happen.

This is simply incorrect. If you are using OS X on your desktop/laptop, and not as a server, then you are not hosting any services which allow an attacker to specify values for environment variables that get passed to bash, and thus you are simply not vulnerable to this attack. If you know otherwise, please describe the actual service in question, rather than spread what appears to be uninformed fear-mongering.

If you are running a web server or SSH server, etc. on your laptop, then presumably you know what you’re doing and can assess your vulnerability yourself. But this vulnerability does not affect ordinary desktop users of OS X.

If you are using a desktop Linux system and you are for some reason not behind a firewall, it is possible that some of the default desktop services expose this vulnerability, and you should check with your distribution vendor for details.

Now, anyone who is using the internet is vulnerable to indirect attack, i.e. if your ISP has a vulnerable DNS server and an attacker redirects requests for your bank’s website to his own - but this has nothing to do with what OS you are running on your own computer.

I’m not enough of a guru to know whether I am fully immune yet, but Ubuntu Linux has had three, count’em three, patches to Bash within the past couple of days.

The biggest threat for residential users are not desktops/laptops, but routers. Many (most?) routers run Linux and many have SSHd (secure shell daemon). This is a service where you can connect to the router over a command line interface. If the router has bash (likely) it probably has the vulnerability.

So check your router configuration and see if you can turn off SSHd. I just checked my Linksys router running DD-WRT software and SSHd is disabled by default so I’m fine.

Missed the edit window:

Checked around a bit and DD-WRT does not run bash, but another shell called busybox which is not affected by shellshock. Still a good idea to make sure SSHd is disabled on your router unless you need it for anything.

My father saved $0.50 and bought a new modem without WiFi (“who needs it?”), and I will be installing a router, and will have to set it up.

I expect to be revisiting this thread…

You have most of the answers now - but to summarise:

The exploit uses a bug in the manner in which bash allows environment variables to be used. If you are able to find a service on a machine that exposes a mechanism to start a bash shell script an exploit can craft a request that allows running arbitrary code.

However - no normal machine should have such a service. No modern web server should either. The use of such shell scripts in web interfaces is long obsolete - but that doesn’t mean lots are not still in use. It is just possible that some desktop machines might run some odd service that uses bash - and these would be vulnerable - but it isn’t part of a standard installation. In principle if your machine does this you would have known enough to set it up - and know what is going on. But of course this doesn’t always happen.

Embedded devices - of which routers are the most common on the internet - could be vulnerable - almost all provide a web based interface and allow various command capabilities that may use bash to implement. However - bash is a very big program with lots of capabilities that are not useful here. The usual implementation in routers uses busybox, which provides the needed functionality, and is much smaller - busybox is not vulnerable.

Overall - it is unlikely a normal Linux or OSX user will have anything that is vulnerable. However patches are being distributed, and they should be applied. The reason so many patches came out is that the first ones introduced more problems.

The whole story underlines an unfortunate issue with a lot of open source code. The “many eyes” quality control ideal turns out not to be true. Nobody external has been reviewing or testing the code. There are scant few people in the open source community who are willing to take on the less than glorious job of QA. Everyone wants to be a hero and write new stuff.

A QA software engineer walks into a bar.
He orders a beer,
Then he orders 0 beers, 9999999999999 beers, -1 beers, 3.14159 beers, “lizard” beers, “” beers, and qwdpoiruhqkdjg beers.

All of which are handled gracefully by the bartender, whereupon the QA engineer certifies the bartender as “certified fault-tolerant” and releases him to the user community.

Then the first user orders Bothallchoractorschumminaroundgansummuminarrumdrumstrumtruminahumptadumpwaultopoofoolooderamaunsturnup
beers, and the bartender promptly crashes with an input buffer overflow.

Two strings walk into a bar.
The first string says "I would like two beers please. wfmnnn<beep>
\f qwen^%@#!$…
“I’m terribly sorry” says the second string, “he’s null terminated.”

No, that’s fine … I was just going anyway. I’ll see myself out.

Oracle Corporation just released patches for many of their products this weekend to combat this issue. The Solaris Unix OS was just one product with a patch.

I’m back. I work for a security company. Go ahead, throw tomatoes. For the most part, Enterprises are the ones at risk, but after digging around here, the official line is still that Mac OSX still has this vulnerability until Apple pushes updates or the end user installs security with IPS protection.

Again, the good news is that there have only been a few instances “in the wild”. Meaning, the vulnerability has been found, but very few instances have been noted where anyone has actually taken advantage of it. I suppose the bad news is that the more people talk about it, the more likely it is that someone will decide to try to do that.

If you are interested, I can provide links to vendor patches and more detailed explanations of the risks. It sounds from this thread that those who need the patches already know how to get them.

The OSX issue is that it includes the problematic version of bash.

I assume you are referring to individual user’s macs.

To add my own two cents to this: the servers I am responsible for have been receiving a large number of attempted attacks since friday. This jives with what Wired is reporting here: http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/

Fortunately our nginx architecture is not vulnerable (as are most modern modern websites). In my opinion though, this is just another reason to use different, strong passwords on each website you use. Write them down or save them to an encrypted USB drive if you need to. Because if you use the same username/password on someone’s old forum that uses cgi-bin as you do for your bank or iCloud, you could be in trouble.

Here’s Mr. Schneier and Mr. Krebs,

Schneier Shellshock

Krebs Shellshock

Reason I include their main blogs as links is that one can see a lot more crazy security breaches are happening. For some reason, this year particularly, potential Open Source flaws excite more than regular Closed Source flaws which no-one outside can discover.
A Texas bank that’s suing a customer to recover $1.66 million spirited out of the country in a 2012 cyberheist says it now believes the missing funds are still here in the United States — in a bank account that’s been frozen by the federal government as part of an FBI cybercrime investigation.
Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm
Breach at Goodwill Vendor Lasted 18 Months

I hope you don’t take this comment as throwing more tomatoes, but I guess a security company has a vested interest in hyping up this kind of bug. Same with the media. ‘Bigger than Heartbleed’? Oh, really? You mean bigger than a bug that was actually exploited like, basically zero times, as far as I can tell?

While this ‘official line’ isn’t technically incorrect, I do think it’s misleading. Absolute was correct that consumer users of OSX are in no particular danger - yes, the OS comes with a vulnerable version of Bash installed, but they aren’t going to be doing anything that would open them to exploiting it - anything on their system that’s going to invoke Bash already has as much system access as exploiting Shellshock would give it. I’m sure Apple will eventually push out an update that fixes this, but there’s no need to panic in the meanwhile.

People who are, for instance, running a web server etc. on their personal computer (as I do) have the wherewithal to update their Bash version (as I have been) as the patches come out.

Well…it can’t be much *smaller *than Heartbleed, then can it? :slight_smile:

I’m a Linux sysadmin, and we’ve spent a good portion of the last few workdays dealing with this. First, internal discussions to try to determine if there was anything to is in the first place. Then coming up with a communication plan for our customers that lets them know that “no, the sky isn’t falling, but yes, we do need to patch this as soon as possible”…then going through all of the change control processes (we can’t just implement fixes in production; we need to run through Test/Dev/QA first). All the while knowing that there are going to be more patches in the days to come, so that we’re going to have to go through the whole process at least once more before we’re done.

Of course, the actual possibility that any of our systems is going to be affected by a real exploit from this is pretty remote…but “don’t worry boss, it almost certainly won’t affect us” is for some reason *not *seen as a good reason to opt out of applying security patches.

Mac OSX updates to fix bash are now available for 10.7, 10.8, and 10.9. (Thanks to MacInTouch for the links.)