What is it?
The “Bash Bug,” also known as “Shellshock,” is a programming flaw that lets outsiders take control and install programs or run commands on computers and other devices. This security flaw was assigned the highest severity rating of 10 on a 10-point scale by the National Institute of Standards and Technology.
The Bash bug has been compared to the recent Heartbleed vulnerability which exposed passwords and other sensitive data to hackers by exploiting systems running Open SSL. Each of these bugs allows hackers to exploit a flaw in programming which affects millions of people.
Does it affect you?
The Bash bug can remotely execute code on systems that use Bash as their default shell. A “shell” is a program which interprets the commands and instructions from users and program. In other words, hackers can exploit the flaw to hijack a computer or device. Bash is the most prevalent command shell used by Linux and UNIX-based operating systems. Thus, the Bash vulnerability affects all Linux or UNIX servers and workstations and all types of devices with embedded Linux or UNIX operating systems including industrial equipment, power plants, municipal water systems, medical devices, routers, switches, firewalls, security cameras and smart appliances – that are connected to the internet. Many people may not even be aware that some of the appliances they use at home or at the office have an embedded Linux operating system.
Windows systems aren’t vulnerable and modern versions of the Apple MAC operating system called OS X are only vulnerable if the user has enabled the Advanced UNIX Services. If your system is running behind a firewall, the impact should be minimal. This vulnerability is more dangerous for web servers and devices which respond to Internet commands than for home computers.
The Bash bug could also deliver malware to anyone visiting a website hosted on a compromised server. Yahoo confirmed that their games server had been compromised. Lycos and Winzip servers have also been compromised.
What can you do about it?
The solution to close this security hole is to deploy an operating system patch which updates the Bash shell. Most embedded devices do not have any simple process for patching the internal Linux operating system and thus may remain vulnerable if connected to the internet. We recommend you call the manufacturer to inquire about their plans for updating the embedded operating system.
If your system is not yet patched, beware of malicious emails that try to convince you to run a program or to phish for your login credentials, as these will allow hackers to bypass your firewall. This vulnerability highlights the need to have a real firewall, instead of just a router, even at home.
What is Stemp Doing?
Our clients use firewalls and secure remote access appliances that are Linux based. Upon learning of this vulnerability, we immediately started a program of patching all affected devices. These updates were performed during our night shift so as not to disrupt client operations during the day. In addition, we sent a security alert email to our clients to inform them about the vulnerability.
You can count on Stemp to promptly address these types of issues. Our philosophy is to continuously be on top of vendor patches and security updates. We believe that this is the only way to maintain security and stability, and to improve performance across the network.
If you have any questions about how this vulnerability might affect any devices you own or use, call us.
Stemp Systems has been recognized as a NSCAM champion by the National Cyber Security Alliance (NCSA) recognizing our efforts to keep you safe. This blog is an example of how we educate our users to be safe and secure.