X

​'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock

Just months after Heartbleed made waves across the Internet, a new security flaw known as the Bash bug is threatening to compromise everything from major servers to connected cameras.

Claire Reilly Former Principal Video Producer
Claire Reilly was a video host, journalist and producer covering all things space, futurism, science and culture. Whether she's covering breaking news, explaining complex science topics or exploring the weirder sides of tech culture, Claire gets to the heart of why technology matters to everyone. She's been a regular commentator on broadcast news, and in her spare time, she's a cabaret enthusiast, Simpsons aficionado and closet country music lover. She originally hails from Sydney but now calls San Francisco home.
Expertise Space, Futurism, Science and Sci-Tech, Robotics, Tech Culture Credentials
  • Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Claire Reilly
Steven Musil
3 min read

App_cybersecurity_300x225.jpg

A new security vulnerability known as the Bash or Shellshock bug could spell disaster for major digital companies, small-scale Web hosts and even Internet-connected devices.

The quarter-century-old security flaw allows malicious code execution within the bash shell (commonly accessed through Command Prompt on PC or Mac's Terminal application) to take over an operating system and access confidential information.

A post from open-source software company Red Hat warned that "it is common for a lot of programs to run Bash shell in the background," and the bug is "triggered" when extra code is added within the lines of Bash code.

Security expert Robert Graham has warned that the Bash bug is bigger than Heartbleed because "the bug interacts with other software in unexpected ways" and because an "enormous percentage" of software interacts with the shell.

"We'll never be able to catalogue all the software out there that is vulnerable to the Bash bug," Graham said. "While the known systems (like your Web server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable."

Ars Technica reports that the vulnerability could affect Unix and Linux devices, as well as hardware running Max OS X. According to Ars, a test on Mac OS X Mavericks (version 10.9.4) showed that it has "a vulnerable version of Bash".

Graham warned that the Bash bug was also particularly dangerous for connected Internet-of-things devices because their software is built using Bash scripts, which are "less likely to be patched...[and] more likely to expose the vulnerability to the outside world". Similarly, Graham said the bug has existed for a "long, long time" meaning a great number of older devices will be vulnerable.

"The number of systems needing to be patched, but which won't be, is much larger than Heartbleed," he said.

The Heartbleed bug, the major security vulnerability revealed in April, was introduced into OpenSSL more than two years ago, allowing random bits of memory to be retrieved from impacted servers. Security researcher Bruce Schneier called the flaw "catastrophic".

"On the scale of 1 to 10, this is an 11," he said, estimating that half a million websites were vulnerable.

Patching the shell

Tod Beardsley, an engineering manager at security firm Rapid7, warned that even though the vulnerability's complexity was low, the wide range of devices affected require that system administrators apply patches immediately.

"This vulnerability is potentially a very big deal," Beardsley told CNET. "It's rated a 10 for severity, meaning it has maximum impact, and 'low' for complexity of exploitation -- meaning it's pretty easy for attackers to use it.

"The affected software, Bash, is widely used so attackers can use this vulnerability to remotely execute a huge variety of devices and Web servers. Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes etc. Anybody with systems using bash needs to deploy the patch immediately."

After conducting a scan of the Internet to test for the vulnerability, Graham reported that the bug "can easily worm past firewalls and infect lots of systems" which he says would be "'game over' for large networks". Similar to Beardsley, Graham said the problem needed immediate attention.

"Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a Bash patch. And, since most of them can't be patched, you are likely screwed."

Updated at 5:22 p.m. AEST to include initial background on the Bash bug.