A critical vulnerability in the command-line interpreter for most Linux and Unix distributions, and that impacts Apple Mac OS X systems, is being actively targeted in the wild, according to security experts who are urging IT administrators to deploy patches to repair the dangerous weakness.
The GNU Bash shell vulnerability enables a remote attacker to execute malicious code when the command-line interpreter is invoked, and can be targeted in a variety of systems and devices that run Linux.
North American solution providers told CRN US that their systems are already identifying attempts to probe client systems for exposure to it. Exploit code has been added to the Metasploit attack toolkit, a sure sign that cybercriminals could attempt to gain access to sensitive systems to launch a denial-of-service attack, bringing applications to a halt, experts said.
Security industry experts are warning that the risk posed by the dangerous threat exceeds the Heartbleed vulnerability, which, when made public, touched off a flurry of patching activity. Heartbleed exploits hundreds of thousands of servers, networking gear and other devices and puts the account credentials at risk to millions of users.
The Bash shell vulnerability, also being called Shellshock, may pale in comparison due to how widespread the command-line interpreter is in Linux systems, said Rob Kraus, director of research at Nebraska-based managed security services provider Solutionary, a subsidiary of NTT Group.
"Because of the long history of Bash and how ingrained it is in almost every version of Unix and Linux that is out there, the exploitable footprint is very large," Kraus told CRN US.
"This is just another potential avenue for inclusion in exploit kits, and organisations need to make sure that they have a firm handle on patch management process and patch management techniques."
Bash can be called from other programs, including network vectors such as CGI, SSH and DHCP, according to the US Computer Emergency Readiness Team, which issued an advisory Wednesday about the threat.
Major Linux distributions, including Red Hat, are beginning to issue patches to users, but early versions may not be fully vetted. Red Hat acknowledged in an advisory update that the patch was incomplete.
Kraus said all solution providers are likely testing and deploying patches for impacted systems, as well as implementing detection signatures to identify any attacks in progress.
Intrusion prevention systems and next-generation firewalls can and should be updated with signatures to detect and block the threat, according to Martin Lee, a security analyst at Cisco.
Cisco and other firms are detecting attacks in the wild, Lee said in a blog post. Once exploited, the vulnerability gives attackers the ability to execute malware and conduct just about any kind of attack, including pivoting to other sensitive systems to steal data or denial-of-service attacks, Lee said.
"We have observed exploitation of the vulnerability in the wild," Lee said. "We have indications that at least some of this activity is due to an automated malicious attack seeking to install DDoS tools on affected systems. However, due to the nature of this vulnerability, almost any tool or malware sample can be downloaded and executed."
Andy Ellis, chief security officer at web content delivery giant Akamai, said his company was implementing patches and other measures to address the risk. In a blog post, Ellis said the widespread vulnerability poses a challenge for administrators because it could potentially impact so many systems and applications.
"As Bash is a common shell for evaluating and executing commands from other programs, this vulnerability may affect many applications that evaluate user input, and call other applications via a shell," Ellis said. "The new vulnerability presents an unusually complex threat landscape as it is an industry-wide risk."