Could Shellshock be worse than Heartbleed?


Written by

When the Heartbleed vulnerability was revealed, government agencies, financial institutions, health care organizations and even regular folks worried that it would be the end of privacy and security online. An accidental flaw introduced into SSL encryption meant to speed up transactions inadvertently also allowed attackers to sniff out drips of information, or bleeds, from supposedly secure connections and use that information to ferret out access to even the most secure sites. But Heartbleed is so last April. Today, it’s all about Shellshock.

2014_09_iStock_000039629164_Large Shellshock, like Heartbleed, was discovered by a data scientist. (

Like Heartbleed, Shellshock is a vulnerability, not a virus. It wasn’t created with malicious intent, though it could become the baseline for any number of attacks. And like Heartbleed, it was discovered by a data scientist and then later shared with the world at large, though it’s unknown whether the hacking community previously knew about it. When telecom specialist Stéphane Chazelas discovered the original vulnerability (there are actually several related problems), he allegedly wanted to call it Bashdoor. But it eventually got called Shellshock.

Shellshock is so named because it grants shell access to a computer running a program called Bash (which is also why Chazelas wanted to call it Bashdoor). It was discovered on Sept. 10, and the public was told about it a couple weeks later. The reason it’s so dangerous is because Bash goes back a really long time. People have been using it since 1992, and every single version of Bash is vulnerable to Shellshock up until last week when companies began to frantically release patches to plug the hole.

Bash is a Unix and Linux shell utility, which means that you use it when sending commands remotely to those operating systems. There are other shells out there, but Bash is the most popular as it’s the default utility used with most Linux flavors including Red Hat Enterprise Linux, CentOS, Fedora, Debian and Ubuntu as well as with Apple’s Mac OS X. Bash also operates as a parser separating the CGI scripts for servers, especially for those running Apache. Given that Apache servers make up about 60 percent of all Web servers in the world, that’s a pretty big deal. So by potential volume alone, Shellshock is likely a bigger threat than Heartbleed. It just doesn’t directly affect most personal computers.

Bash is not typically installed in either a Microsoft Windows desktop or server environment. So if you are running Windows in any form and haven’t directly installed Bash, you are safe from direct attack. Home users with computers or portable devices running OS X were likely technically vulnerable, though it’s doubtful that a home PC would have been an early target for the Shellshock vulnerability when there are so many more juicy targets out there. Even so, Apple released two patches (the first one didn’t totally fix the problem) to plug the Bash holes.

Shellshock works because if you use these specific characters “ () { ” to define a function to Bash, it doesn’t actually stop with that benign request but will instead parse the entire string. It continues to listen to, and more importantly process, any trailing commands sent in the same string behind the definition. That means unauthorized users can tell a server to execute commands, which it will follow. It also means that it’s relatively simple to automate a process to find computers that are vulnerable to Shellshock because attackers can spam requests out ordering vulnerable systems to identify themselves. The ones that answer can later be attacked.

Once shell access is gained, a compromised server can be told to do many different tasks, like to become part of a botnet for example, shooting pings or requests out as part of a denial of service attack. Clever attackers could even string together an elaborate series of commands to do things like ordering a server to dump user and password files back to an attacker, potentially using shell access to gain root access — and total control — of the machine. For a Web server, Shellshock could also be an access point for an old-fashioned code injection attack, placing malware on reputable websites running off that machine. And that is where everyone else in the world suddenly becomes vulnerable, not to Shellshock specifically, but to all those secondary threats that could suddenly pop up on trusted websites.

Most of the main Web hosting services have already patched their systems, and one would hope that every government agency has plugged those obvious holes as well. However, I predict that there will be a second wave of Shellshock-based attacks aimed at devices that nobody really expects to be vulnerable to it. Consider that any type of smart device, or even the billions of those that belong to the so-called Internet of Things, could be running an embedded version of Linux that includes Bash and thus be vulnerable. The number and types of devices in that category are staggering. They could be anything from a firewall to a router to a toaster. Administrators have reported finding the Shellshock vulnerability in things like their building’s temperature control sensors and even their automatic door locks, all of which are likely networked these days.

Once attackers find that most of the Web servers have been patched, they will move on to those odd but potentially dangerous secondary targets, some of which aren’t even generally thought about as true computing devices. Many of those secondary devices actually physically touch people in some way, so the potential for mischief, injury or even worse is a real possibility. If enough people get locked into their buildings or find that their fire suppression systems have either been disabled or ordered to discharge, it may sour folks to the idea of having the number of smart sensors and devices growing exponentially every year. And those dangers do not even take into account the devices serving critical functions like regulating the flow of chemicals inside pipelines, monitoring assembly lines or literally helping the trains to run on time.

I don’t want to cause a panic. But Shellshock is a real threat, potentially much greater than the better-advertised Heartbleed vulnerability, and the only way to stop it will require lots of manual labor hunting down and patching those billions of devices that could potentially be vulnerable to it. As such, Shellshock will still be a security issue and a danger for many years after Heartbleed has been relegated to a mere footnote in history.

-In this Story-

Commentary, Cybersecurity, Guest Columns, Heartbleed, shellshock, Tech, Technocrat
TwitterFacebookLinkedInRedditGoogle Gmail