Well, you probably aware of now-famous bash bug. Damage from it spreads and we have only bad news for you:
- There is still no working patch. The hotfix for CVE-2014–6271 was immediately bypassed and vulnerability is valid again. It seams the only way to “repair” Bash now is to manually disable import() function in source codes.
- Even after a valid patch finally appears we’ll be in touch with ShellShock for a long time. Routers, web cameras, SIP gateways, NAS’s — vulnerable version of Bash will remain in a tons of devices for years! Even thoroughbred load-balancers by well-known vendors are proved to be vulnerable. Just image what kind of load can create a network equipment of this class to implement DDoS attacks.
- The exploitation through DHCP is not only theoretical, it is now practically proved and demonstrated with POC by TrustedSec’s researcher. This is one of the most epic vectors! Connect to the network and get malicious-payload-bonus with IP address. Wow!
- Do you like Git/Subversion? Sure, and you need to know, they are vulnerable (when configured for using with SSH which is an usual case). It is a known fact that any user of a control version system has access the OS, but limited with rights to execute commands. ShellShocks allows to circumvent this limitation and to get a working shell! Good news (the only one) here that many OS by default use dash (not bash) for git user (like Debian does).
- And finally, it is difficult to imagine how many people now scans all IP subnets in search of vulnerable services (just like Robert Graham). The implementation of ShellShock’s probes is already implemented in vulnerability scanners (e.g. w3af). And it is already proved that ShellShock is used in malware. So, how many chances that your vulnerable devices will not be reached?
By Stephan Ilin,
Product Director, Wallarm