0 Members and 1 Guest are viewing this topic.
A Linux/Unix-based vulnerability, Shellshock, has an impact that reaches far beyond one operating system.As with Heartbleed, Windows users can't ignore this threat. But the most difficult aspect of this outbreak is determining which devices are actually vulnerable.A vulnerability in the Bash Linux/Unix shellYour PC might be pure Windows, but chances are high that you have devices in your home running on Unix or Linux. I know I do — my Western Digital My Cloud networked backup drive, routers, Kindles, iPhones, and iPads all run some form of Unix/Linux. (Worse still, Unix and Linux are core operating systems on many enterprise-computing and storage systems.)Those non-Windows devices were relatively safe from malware — until now. As has been widely reported, the GNU Project's Bourne Again Shell (Bash) was found to be vulnerable. Bash is a text-based, command-line utility or Unix shell used by numerous versions of the Linux/Unix operating systems.If installed as the default command-line shell, Bash can make a system vulnerable to malicious remote attacks. The method of attack includes various network tools that execute scripts — from Telnet and Secure Shell (SSH) sessions to Web requests.Unfortunately, there's no single list of Shellshock-vulnerable devices. At this point, we each need to take a survey of our Linux/Unix devices and check whether there's an update to protect us from attack. If there's no patch for a particular device, mitigating the threat could mean changing how we use the device or — as in the case of a security device such as a router/firewall — replacing it altogether.Be aware that there are already reports of attacks against online honey pots that look for new exploits.A long, long list of threatened systemsHere are some of the devices I know to be vulnerable to this exploit:Operating systems: Most major Linux- or Unix-based operating systems, such as Red Hat and Ubuntu already have patches for the initial bug. Many of those patches are listed on the National Institute of Standards and Technology's National Vulnerability Database website. (See, for example, CVE-2014-6271.) Unfortunately, many of those initial updates didn't cover a secondary bug — CVE-2014-7169 — also being tracked at the NIST site.If you're running any Linux distribution, there's a command you can enter to check whether your system is running Bash by default and thus is vulnerable. As noted in a Bobcares blog, enter the following at the command prompt:# env x='() { :;}; echo Server is vulnerable' bash -c "echo"If command returns a "Server is vulnerable" message, be forewarned.Network-attached storage: If you have a NAS device, it's running some sort of operating system — though exactly what type can be difficult to tell. According to a Neowin post, NAS devices from QNAP and Synology are potentially vulnerable to Shellshock. Moreover, my home backup device of choice, the Western Digital My Cloud, is also vulnerable, according to a WD forum post. If you're using any NAS drive that's accessible via the Internet, I recommend disabling remote access immediately. Leave it turned off until you've either installed an update or determined that your particular device was never vulnerable to Shellshock.Turning off remote access should be easy. For example, following instructions on a WD knowledge-base page, I signed in to the My Cloud's admin console and opened the settings tab. I then went to the "Cloud Access" section and switched it off.Apple devices: Continuing my survey of personal Linux/Unix devices threatened by Shellshock, I considered my Apple MacBook notebook and my iPhone. An Apple Support forum post has a long and fairly technical discussion about Bash vulnerabilities in OS X. Simply put, if you're not using an Apple system as an Internet server — i.e., you're not giving direct, remote access to the system — you're not vulnerable to Shellshock. That said, Apple has already released OS X Bash Update 1.0, according to a company support page. The patch applies to Lion v10.7.5, Lion Server v10.7.5, Mountain Lion v10.8.5, and Mavericks v10.9.5.Keep in mind that any prior version of OS up to and including Snow Leopard will not get updates and will remain vulnerable. But again, that's only if you've set up the machine as a webserver or have enabled additional Unix capabilities.Firewalls and routers: As noted in a 2012 SANS Institute white paper, "Exploiting embedded devices," the vast majority of home routers run BusyBox for their Unix tools. That makes those devices safe from the Bash bug. However, that's not the case for some small-business firewalls provided by Cisco. The company has documented which devices are vulnerable to the Bash bug.Androids:For consumers, there's more good news. Android devices ship with a variation of the Almquist shell — another form of Unix that's not threatened by Shellshock. Which means anyone using an Android phone or tablet is not at risk. (That's good, because Android operating systems are customized by device manufacturers; you can't simply go to Google's site to download a universal update.) Shellshock: More smoke than fire for consumersWhen I read the first reports on the Bash bug, I immediately assumed the worst: we'd all have to toss out our routers and buy new ones. Fortunately, that's not the case. Our routers — the first line of defense against Internet threats — are not likely to succumb to Shellshock exploits. Nor do we have to worry about attacks on our Android and Apple phones — at least not Bash-related hacks.Those of us with home/small-business, cloud-enabled NAS devices are, however, potentially at risk. As noted above, switch off remote access until there's an update from your NAS vendor.So who is vulnerable to Shellshock? Mostly, it's enterprise systems that rely heavily on Linux- and Unix-based services. It was originally predicted that at least half of all websites could be compromised. Fortunately, quick action by IT admins and various updates have undoubtedly reduced the threat. The most vulnerable devices now are those that never get updated.Still, there's an important lesson from the Shellshock debacle. All our digital devices are potentially vulnerable to attack — no matter what operating system they run on. It's a problem that extends far beyond our computers, phones, and other electronic peripherals. Security systems, cars, planes, and countless other things we rely on daily have embedded software. All that code has vulnerabilities that could, sooner or later, be exploited. It's not a question of whether but when.Keep all your devices fully updated.Susan Bradley
I was under the delusion that as new operating systems came to fruit they had new drivers etc created that rendered some of these issues null and void but it seems theres holes in nearly everything and all just waiting to be exploited for giggles or cash.