Shellshock DDoS Attacks Spike

Four Bugs Now Found in 'Shockingly Obsolete' Code
Shellshock DDoS Attacks Spike

Distributed-denial-of-service attacks that target the Bash flaws known as Shellshock have spiked in recent days.

See Also: Evolving Cybercriminal Attack Methods

"We're seeing north of 1.5 million #shellshock attacks across the @CloudFlare network daily," says Matthew Prince, CEO of the content delivery network and DDoS defense firm CloudFlare. Prince says that count is determined by the company's Web application firewall detecting attempted attacks that use the Shellshock flaw.

Shellshock-targeting DDoS attacks and IRC bots were spotted less than 24 hours after news about the Bash bug went public last week. Since then, security software vendor Trend Micro says it's also seen Shellshock-related IP address probes directed against unnamed institutions in Brazil, as well as at least one financial services firm in China. "Attackers were trying to see if several IPs owned by the institution were vulnerable to a Shellshock vulnerability, specifically CVE-2014-6271. Further analysis revealed that three of the tested IPs were possibly vulnerable, as the attackers tried to use the command ... 'uname' [to display] system information, including the OS platform, the machine type, and the processor information."

To date, however, the security software vendor hasn't seen the exploit being used to deliver malware payloads. "At first glance, retrieving system information might seem harmless," Trend Micro says. But this reconnaissance "could possibly be a sign of preparation for ... more damaging attacks."

"In the wrong hands, an attacker can use Shellshock to run malicious scripts in online systems and servers - compromising anything and everything in and connected to those elements," it adds.

Bash Use Widespread

Use of the Bash open source command line shell is widespread because it's part of all Linux distributions, on which more than 500 million Apache Web servers run. That means the Shellshock problem could be bigger than the Heartbleed vulnerability. "The bug probably affects many GNU/Linux users, along with those using Bash on proprietary operating systems like Apple's OS X and Microsoft Windows," says John Sullivan, executive director of the Free Software Foundation - which supports Bash - in a statement.

CISOs have begun scrambling to mitigate the Shellshock flaw and identify every Bash-using system or device that might be at risk (see: Shellshock Bug: How to Respond). Thankfully, not every system that includes Bash is susceptible to exploits that target it. "It's only Linux-based devices that can be attacked remotely - Mac OS X devices and the iPhone can only be attacked at a local level, i.e. with the attacker having physical access to the device itself," says Trend Micro.

Four Bash Flaws, and Counting

To date, there are four vulnerabilities associated with Shellshock: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187.

The Free Software Foundation released Bash patches on Sept. 25 that address both the original Bash flaw, CVE-2014-6271, as well as the new bug that the initial, incomplete patch spawned, which is CVE-2014-7169, which was discovered by security researcher Tavis Ormandy.

Numerous vendors have since begun releasing, updating and patching their Bash-using software and devices. Oracle, for example, has released patches for six affected products - including Oracle Linux, versions 4 through 7, and Solaris, versions 8 through 11 - but says it has yet to release patches for at least 44 other vulnerable products.

Since the GNU Project released its second round of batch patches, however, Red Hat security researcher Florian Weimer discovered additional vulnerabilities, which have been assigned CVE-2014-7186 and CVE-2014-7187. "It's possible that other issues will be found in the future and assigned a CVE designator even if they are blocked by the existing patches," warns Red Hat security engineer Huzaifa Sidhpurwala in a Shellshock FAQ.

Free Software Foundation

Part of the reason so many vulnerabilities have been spotted in Bash is because the code that comprises it is "shockingly obsolete," says security researcher Robert David Graham, who heads Errata Security, and who's been actively scanning the Internet to try and count the number of systems that are vulnerable to Shellshock.

"In response to #shellshock, Richard Stallman said the bug was just a 'blip.' It's not, it's a 'blimp' - a huge nasty spot on the radar warning of big things to come," Graham says, referring to comments made by GNU Project founder Richard Stallman. "Three more related bugs have been found, and there are likely more to be found later. The cause isn't that a programmer made a mistake, but that there is a systematic failure in the code - it's obsolete, having been written to the standards of 1984 rather than 2014."

What's needed, in other words, is a code overhaul, and the GNU Project has promised to pursue this. "Development of Bash, and GNU in general, is almost exclusively a volunteer effort," says Sullivan at the Free Software Foundation. "We are reviewing Bash development to see if increased funding can help prevent future problems. If you or your organization use Bash and are potentially interested in supporting its development, please contact us."

How did the Bash bugs go unnoticed for more than 20 years? "The flaws in Bash were in a quite obscure feature that was rarely used; it is not surprising that this code had not been given much attention," Red Hat's Sidhpurwala says. "When the first flaw was discovered it was reported responsibly to vendors who worked over a period of under two weeks to address the issue."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.