Technology vendors Cisco, Oracle, Juniper Networks and others are pushing out security updates to customers to address a highly targeted vulnerability in Linux and Unix systems that can enable criminals to gain access and complete control of critical systems.
The Bash command-line interpreter vulnerability has been updated, but early patches to networking gear and other systems and applications may not have completely sealed off the weakness from attackers, security experts say. The Shellshock vulnerability and three other related bugs received a score of 10 on the Common Vulnerability Scoring System, the highest score possible. That indicates it is easily exploitable and attackers have easy access to the publicly-malicious code. It impacts every version of GNU Bash through 4.3.
The Bash (Bourne Again Shell) is embedded in a wide variety of appliances, virtual services and networking gear and can be remotely invoked by an attacker after network probing finds a vulnerable system through a web application, solution providers warn. Until updates are available, security vendors tell users to implement intrusion prevention and detection signatures to detect and block attempts to exploit the vulnerabilities. System administrators have been busy applying workarounds and security updates issued by a wide variety of vendors.
Service providers should be assisting clients in identifying impacted products and adding signature detection to devices, said Rob Kraus, director of research at Omaha, Neb.-based managed security services provider Solutionary, a subsidiary of NTT Group.
"This is definitely something that is very fluid and should be closely monitored," Kraus told CRN. "Every company should have their patching processes in motion."
Some solution providers told CRN that some IPS signatures have a high degree of false positives.
According to Solutionary, the top five devices identifying attempts to exploit the vulnerability include Sourcefire and networking gear that support Snort IPS signatures, and appliances from Palo Alto Networks, Check Point, Symantec and Juniper Networks. Security experts have compared the Shellshock threat to the widespread Heartbleed OpenSSL vulnerability. If successful, an attacker can simply cause a system to crash or run a variety of different malware on systems, pivot to servers containing more sensitive data and obtain credentials as a valid user on a network.
Stuart Maskell, of San Diego-based managed services provider NWTech, told CRN that his firm has reached out to clients about the vulnerability. Most users have identified impacted solutions and are implementing workarounds to reduce the attack surface, ensuring signatures can detect threats as well as deploying security patches when they become available, Maskell said.
Red Hat and nearly all other Linux distributions are impacted by the vulnerability. Apple was also impacted and issued a security update fixing the flaws. Cisco Systems identified dozens of networking devices, firewalls and other gear that are impacted by the vulnerability. Users of networking gear from Fortinet, F5 Networks, Dell, Check Point, Blue Coat and Barracuda Networks are also impacted by the flaw.
Juniper Networks rushed out updates for its SSL VPN, UAC, MAG and SA series networking gear last week. The company's latest update for its network security manager appliances was issued on Tuesday.
McAfee is investigating its products. The company is still developing security updates to address the flaw identified in its Stonesoft next-generation firewall, its email and web gateway appliances and SSL VPN. The company urged users of its next-generation firewall to apply signatures to detect attacks targeting it and warned that an attack can execute malicious code in root, gaining complete control of the appliance.
Oracle also issued an out-of-band security update, patching its database management system appliances, its storage server Solaris and Virtual Compute Appliance software. The company's security engineering team is still developing and testing security patches for more than 40 other products, including its Big Data appliance, channel switches, Cloud Gateway and Fusion Applications management tools.
Hewlett-Packard's security response team issued an alert on Sunday about Shellshock and released an update addressing vulnerabilities identified in HP NonStop Servers that run Bash shell. IBM also issued an advisory, warning customers that its WebSphere Application Server, which is based on Apache also contains the flaws.
VMware issued security updates for version 4 and 4.1 of its hypervisor software, older versions that are past their support date. More than 30 vSphere, vCloud and other virtual appliances are also impacted by the flaw. The company issued an update Monday warning users that current updates do not adequately address the issue.
"The current patches and fixes offered do not yet fully address the many existing attack vectors, and the situation requires further investigation to arrive at a consolidated fix and remediation plan," VMware said. "VMware is working on this investigation around the clock internally and with its partners/suppliers. VMware's goal is to provide customers with a comprehensive fix that is reliable and efficient."
U.K.-based security vendor Sophos is still working on a security update for its line of email and web appliances and the Sophos UTM, which ship with Bash. Sophos Antivirus for vShield is also impacted, the company said, adding that its engineers are confident that despite being impacted the Shellshock vulnerability can’t be exploited in any Sophos product.
"As a matter of good security practice, we will be updating the various Sophos-supplied versions of Bash as soon as a stable and effective patch is available from the Bash maintainers," the company said in its advisory.
PUBLISHED SEPT. 30, 2014