Security experts are issuing critical warnings to Linux, Unix and Mac OS X users over a new vulnerability called Shellshock that rivals the devastating Heartbleed bug.
Shellshock allows attackers to take control of vulnerable PCs via an OS' Bash (Bourne-Again SHell ) -- a command prompt built into Linux, Unix and Mac OS. Experts estimate over 500 million computers could be affected by the exploit.
The US Computer Emergency Readiness Team (US-Cert) issued a warning late Wednesday about the bug, urging system administrators to apply patches. US-Cert today posted links to OS updates for CentOS, Debian, Red Hat and Ubunto.
As of this writing, Apple has not released updates for Mac OS X to address the issue, however, patches for Bash 3.2 (included with Mac OS 10.9) are available.
Justin Flynn, a consultant and network security specialist with Chicago-based solution provider Burwood Group, said Shellshock, like Heartbleed, can give attackers direct access to a system. "We are taking Shellshock very seriously and making sure we get accurate information and patches out to our customers," Flynn said.
At the heart of the vulnerability is the way the Bash component within the OS is utilized. If outside applications exploit Bash's system shell command capabilities via an HTTP or a Common-Gateway Interface (CGI), they can insert data and the web server could be hacked, wrote Andy Ellis, the chief security officer of Akamai Technologies, in a blog post.
"This vulnerability may affect many applications that evaluate user input, and call other applications via a shell," Ellis wrote. He added, under a worst-case scenario applications call scripts with root permissions, giving attackers unprecedented control over a server.
"Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera," wrote Tod Beardsley, a Rapid7 engineer.
Shellshock comes on the heels of Heartbleed, the critical vulnerability that exploited the OpenSSL security protocol, leaving millions of systems open to attack. Heartbleed, first detected in April 2015, has cost the IT industry an estimated $500 million.
With Heartbleed still in Burwood Group's rear-view mirror, raising awareness for customers to patch systems for Shellshock won't be a hard sell, Flynn said. "We've been doing a lot of webinars and outreach on Heartbleed. Now we'll be shifting in high gear for Shellshock."
Ryan Olson, director for Intelligence at Palo Alto Networks, wrote in a blog post Thursday, "The good news is that this vulnerability was disclosed responsibly and patches are available for most platforms on the day of the public disclosure. The bad news is that this vulnerability is going to have a very long tail."
Olson wrote that the Bash shell vulnerable to attack is used in the "most-popular Linux variants and every version of the software stretching back over two decades." He added that while the Bash exploit has existed on millions of systems, it needs to be running an application that makes it accessible over the network.
PUBLISHED SEPT. 25, 2014