We can’t agree on a name, but we can agree it’s a big deal.
What is this thing?
Many are saying this vulnerability could be bigger than Heartbleed. From my perspective, Heartbleed was a bit more troubling due to the affected component and the massive usage of SSL. Bash is available on most Xnix systems, and having Bash turns the host vulnerable, but not necessarily remotely exploitable. Additional conditions are needed in order to remotely compromise the host. Basically, you need to be able to inject commands into Bash. It's not just Xnix. Andy Rappaport, Chief Architect here at Core Security, pointed out that the vulnerability also shows up in a couple of older Windows-based dev environments: MSYS and Cygwin. It’s time to upgrade, but these aren’t a remote exploit threat. While this may not be as widespread as Heartbleed, in situations where the Bash Bug can be exploited, the consequences could be much more severe. As another colleague, Alberto Soliño, noted this morning, Heartbleed was worrying because it could expose secrets – this one allows attackers to execute code on the vulnerable system, and once you know how to trigger the vulnerability, exploitation is extremely easy.
Patch, patch, patch…
Users must patch. Some folks are recommending that users check whether or not they are running CGI – but that is absolutely not enough. C++, Python, PHP and all other applications that makes Bash calls are affected. Other applications supporting DHCP, SSH (restricted shell) may be also affected, not only from a remote attack but also from a local privilege escalation perspective. Patches are already available for most well-known systems, or they will be available very soon. Some vendors published an early patch that was incomplete, and they had to publish a new fix today, so double check that yours is up to date. Putting aside Xnix distributions, companies will face significant challenges if they need to patch old systems or systems based on embedded devices like cameras, routers and ICS if they are running Bash. Fortunately, that shouldn’t be too common, since Bash is usually too heavy for systems like that.
What this means for Core Security customers
Two modules for Impact Pro leveraging this vulnerability have been released to customers. One uses the CGI attack through Impact's WebApp framework to remotely obtain an OS agent, while the other is a verifier that can run over an agent to perform a quick test and determine whether the target is vulnerable.