Shellshock

Author Nigel Hedges, General Manager – Sales and Technical at Hemisphere Technologies Pty Ltd

As you may have heard, the latest hot topic of Information Security is Shellshock.

What is it?

In very simple basic terms, one of the command line text-based interfaces has a bug. This bug allows you to run secondary commands that would normally require administrative privileges.

Imagine this conversation:

You: “Hi, I’d like to order 2 pizzas thanks.”

Pizzaman: “Sure, that’ll be 20 bucks.”

You: “I’d also like to have 2,000,000 dollars.”

Pizzaman: “Why do I always get the weird customers.” *click*

Now imagine this second duplicate but similar conversation:

You: “Hi, I’d like to order 2 pizzas thanks and *magical waving of hands in secret circles* give me 2,000,000 dollars.”

Pizzaman: “Sure, that’ll be 20 bucks and here’s your 2 million dollars.”

You: “Cool!”

This is basically what happens with Shellshock. By running a first command with a small string of text that doesn’t get processed properly, the “BASH” script (command line text interface) lets people run nefarious commands after it.

The possible implications are many. While you might not be able to order a pizza or 2million bucks directly from a command line (that would be nice) – you can run commands to expose the password file, or give access to information or networks that would then let hackers do more nasty stuff.

How do we fix it?

Kaspersky Lab has been very quick to come forward with information related to Shellshock, which is a fantastic endorsement for their threat intelligence.

There is a huge range of malware being written to automate the process of exploiting this vulnerability, so while Kaspersky is a reactive solution to Shellshock, it’s still a worthy strategy.

For example, Kaspersky has found a Linux Backdoor malware, and can detect it with the Kaspersky Endpoint Security for Linux product.

Secondly, it is super important for customers to be in a position to know if they are vulnerable. BeyondTrust were superfast to come out with vulnerability checks in Retina, so that any customer with Retina could perform a vulnerability assessment of their environment and see if they are vulnerable. BeyondTrust Retina CS would allow an organisation to make a full stocktake of their environment, and assess their risk efficiently and effectively.

Perhaps the BEST form of defense here is what BeyondTrust have been telling people for years. If customers had a least-privilege technology on their endpoints it becomes very easy to proactively stop this issue. With BeyondTrust PowerBroker and LINUX, customers could have quickly put in a policy that detects the running of the nasty BASH command – and denies the use of that variable.

Lastly, it is possible through some web extensions via something called CGI, for Shellshock to be exploited via non-native calls… which means you would need to rely on a Web Application Firewall OR IPS-enabled firewall that could detect this and block the traffic. Stay tuned, this is an area we will soon be able to help you with!

Summary:

Reactive Detection: YES – through Kaspersky Endpoint Security for Linux & BeyondTrust Retina CS

Proactive Prevention: YES – through BeyondTrust PowerBroker and LINUX.

For more information on how Kaspersky Lab and BeyondTrust can help, contact a member of our sales team.

Categorised in:

This post was written by admin