Remember Heartbleed, which threw a heavy punch to all OpenSSL users back in April? Well there is another criminal in town, threatening to be even more dangerous and affect even more people. Introducing “ShellShock” a.k.a. “Bash Bug”- the most recent vulnerability discovered by the RedHat Team, that threatens to make hundreds of thousands, even millions of devices worldwide more insecure and open for hackers with malicious intent. Let us take a more detailed look at what exactly makes this SO bad.
To understand ShellShock we have to first understand what Bash is. If you have ever heard about “shell” you already know that this is the program that acts as a translator of your commands so that your operational system can understand them. Well, Bash is what executes those commands. As bash is a piece of UNIX software, this means that all systems that are UNIX based will be affected – which means that Linux and MAC OS will definitely be under fire. If the Heartbleed bug was said to influence something around 500 000 machines, here we are talking about 500 million! Add that to the fact that it supposedly covers all Bash versions since 4.3 and we are talking about more than two decades of vulnerability.
In the typical scenario, when a shell command needs to be executed, Bash checks the information separately, for example what software is running. And here is where ShellShock strikes – it opens a doorway for hackers to add malicious information into that process and practically take control of the whole system. Not only that but is pretty easy to be executed and low on complexity – if you exploit Bash via CGI scripts you don’t even have to authenticate yourself.
As a hosting company, we take the ShellShock quite seriously as Apache servers are also among the victims. A few hours after the information about the bug was spread, our system administrators were already on it. Until the official patch was later released they already had a couple of solutions of their own and all those were deployed on our servers today. After extensive testing on all machines we are proud to tell you all that the vulnerability doesn’t exist anymore and security is as hard as it should be. No Heartbleeds and ShellShocks can touch you…not on our watch 🙂