In Brief: The Shellshock or “Bash Bug”

Introducing Shellshock.  Also known as the “Bash Bug,” Shellshock exploits a system application found on many computers called Bash that translates “shell” commands into something your device can understand. It impacts Linux and Unix Systems and — brace yourself — Mac OS X.  Confused? Keep reading.

What is it?

The very geeky answer comes from RedHat’s Security Blog:

It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)

A more simple explanation from Mashable:

Typically, the shell needs to check information separate from the command, such as what software is running, to do its job. What Shellshock does is open a way for hackers to add some malicious information into that process.

Then there’s the more detailed answer from James Lyne from Forbes:

…may allow [hackers] to modify authentication information, start other programs and otherwise gain access to information they should not. It is a foothold in a device which you can use pretty creatively.” In other words, it provides access to information you don’t want unauthorized parties to access.

Why is this important to me?

There are machines, devices, and applications running Linux or Unix everywhere.  Most notably, the Mac sitting on your desk or your lap, the iPhone in your pocket, the router connecting you to the Internet, and that Internet-enabled camera used to monitor goings-on at home. They may all be vulnerable. Run Microsoft Windows and think you’re immune? Think again as there may be non-Microsoft components between, for example, your Microsoft laptop, your Internet connection, and the online applications you use.

This is of concern because, unlike Heartbleed, exploiting “Bash Bug” doesn’t required sophisticated skills.  As Lyne explains:

The attack can be performed using nice, easy to script commands which means you don’t need to be a 31337 (sorry, I couldn’t help myself that is ‘elite’ for the uninitiated) hacker to do it. It’s actually quite easy. The code to attack (and many variants) is already widespread.

The danger comes in the poorly managed, often ignored devices it may impact.

Troy Hunt’s post points out that there “is no authentication required when exploiting Bash via CGI scripts.” He explains why this is problematic:

“getting shell” on a box has always been a major win for an attacker because of the control it offers them over the target environment. Access to internal data, reconfiguration of environments, publication of their own malicious code etc. It’s almost limitless and it’s also readily automatable. There are many, many examples of exploits out there already that could easily be fired off against a large volume of machines.

Client files and law firm data can be exposed and, given the worm-like potential, other people connecting or communicating with you may be exposed. That is problematic.

 What can I do?

Check your systems for exposure, check for patches, and update your software–particularly if you use Macs in your practice.

If you’re comfortable using the command line on your Mac via the Terminal app, Ars Technica offers an easy way to check for the vulnerability:

To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

If you’re vulnerable, again, make sure to check Apple for patches and updates and apply them promptly.

Fluidity of Updates

This is a fluid situation, so keep an eye on the news and sites like Akamai and Errata Security.

Featured image from shutterstock.

Check Also

NFTs And The Law: What Do I Actually Own?

A quick look into NFTs, and how they fit into a legal landscape that isn’t ready for them.