Do you remember HeartBleed from a few months back? There’s another huge vulnerability that just came to light: Shellshock. And this one is much worse than HeartBleed 🙁

Shellshock is based on a vulnerability in the Unix/Linux bash command processor. Bash can be forced to execute commands stored as ‘environment variables’ and unfortunately, many programs pass data through these variables. So an attacker could conceivably take over a server by simply:

  • using a script as a username or password
  • sending an email body or email subject that contains a bad script
  • setting a web page title to a script value so that web page scrapers would request the page and then get infected
  • post a script value to a web form
  • save a document that contains a bad script
  • etc…

What makes it so scary is bash is used all over in a large portion of Unix\Linux software. That means servers, routers, refrigerators, phones, etc. can potentially be vulnerable.

It’s like a lock company that made millions of locks over 20 years for homes, cars, buildings, cabinets, vaults, etc. It has just come to light that one particular factory worker’s locks are vulnerable to being opened without the key. The problem is, nobody knows exactly which locks that particular worker built over the 20 years. Everyone needs to be concerned.

What can you do to protect yourself from Shellshock?

If you have servers, update bash on any server/device that you can. Check if your router, NAS, firewall, etc. have any updates posted.

If you are a consumer of services on the web (who isn’t?), you’re at the mercy of all of your service providers patching the software and services they use. 🙁

Silver lining?

Windows servers almost never use bash, so they are most likely unaffected.

All Power Admin products are NOT vulnerable — we don’t use bash, and don’t use any library or third party code that uses Bash.

Storm Clouds

This, along with HeartBleed and Edward Snowden revelations, might have a chilling effect on cloud service adoption. And we like cloud services like everyone else!

With one exception…. It’s never made sense to us to have networks and servers monitored by the cloud. The monitoring software needs to be the most trusted because it has deep insight into the network, lists of server names, credentials to those servers, configuration information and so on.

Jen Andre has already discussed Nagios’ vulerability (many Nagios plugins use bash), which means monitoring products and online services based on Nagios are also vulnerable. Other online ‘cloud monitoring’ services are quite likely vulnerable too because most of them are Linux based.

With Power Admin products, all of the private and sensitive information about your network and servers stays completely under your control on hardware you control. At least that is one part of this predicament that our customers don’t need to worry about at all 🙂

 

Doug N

More about me on Google+

Share →

2 Responses to Shellshock vulnerability – worse than HeartBleed :(

  1. Hi jmb,

    Thanks for pointing that out! Link is updated now.

(ec2)