Bish Bash Bosh!

The release of CVE-2014-6271 has set the security industry and mainstream media ablaze with chatter about the scale and impact of this vulnerability. Unlike Heartbleed, which affected a specific piece of vendor software (albeit widely distributed and repacked), vulnerabilities in Bash present a much bigger problem. Bash is much more widespread and so it may be very hard for an organisation to identify. Especially when considering the number of embedded devices with web interfaces and so on.

While the details and impact of this event are still being discussed, the main focus is on websites that make CGI calls and parse variables to the bash shell. Other instances of malicious code execution have been speculated with rogue DHCP servers when an OS calls a bash based script like dhclient. Effectively anything where a variable is parsed to bash could become a target for an attacker.

What to do?

Vendor patches for nearly all major OSes and web servers will likely be published within the next 12 hours. If you work in an organisation with significant procedural controls, now would be a good time to raise an emergency change request. If you can apply patches reasonably easily then keep an eye on your major vendor's websites to get the patch. Obviously rushed patching is never an ideal situation, so continue to monitor the patch releases in case the interim patch causes other issues.

While waiting for a patch - some IDS and IPS vendors have released attack signatures that can detect the attack footprint, so check to see if your network defences are up to the job and monitoring the right parts of your network.

The other obvious and slightly more extreme solution is to take vulnerable systems offline if they are not business critical, or at least hide them from the internet or apply some ACLs to reduce the exposure of (potentially) vulnerable systems.

This vulnerability raises a lot of questions about open source software and the fundamental building blocks of modern (and legacy) operating systems.