Last week, a new critical vulnerability was discovered that affects systems running several versions of Linux and Unix, including Mac OS X, and some routers and IoT devices.
Known as “Bash Bug” or “Shellshock,” this vulnerability could allow an attacker to not only gain control over a targeted computer if exploited successfully, but also provide them with access to other computers on the affected network.
The Shellshock Bash bug was found in a typical voice-over-IP (VoIP) phone system, opening up the possibility that many more of the business communication systems could be vulnerable if attacked.
Possibly even larger in scope than Heartbleed, the severity of this vulnerability is serious given that web servers are mostly affected. It also poses risks to Internet of Everything/Internet of Things devices that have Linux (and Bash) on them. It was also reported that it affects Bitcoin/Bitcoin mining, thus attackers may possibly/potentially create armies of bots via this.
Shellshock affects a very common open source program called “bash”, a command shell commonly deployed on Linux, BSD, and Mac OS X. Bash, an acronym for Bourne Again Shell, is a command-line shell that lets users issue commands to launch programs and features within software by typing in text. It’s typically used by programmers and shouldn’t be open to the wider world, though Shellshock changes that.
This new vulnerability can allow execution of arbitrary code thus compromising the security of systems. Some of the possible scenarios that attackers can do range from changing the contents of web server and website code, to defacing the website, and even stealing user data from databases among others.
Trend Micro has spotted samples which are the payload of the actual exploit code. Detected as ELF_BASHLITE.A (also known as ELF_FLOODER.W), this malware is capable of launching distributed denial-of-service (DDoS) attacks. It also has the capability to do brute force login, enabling attackers to possibly get the list of login usernames and passwords.