The Bug
This week brings us another wide spread, critical vulnerability that required immediate attention. Perhaps even larger in scope than Heartbleed, Shellshock affects a very common open source program called “bash.”
Bash is a command shell commonly deployed on Linux, BSD, and Mac OS X. CVE–2014–7169 provides the details.
The tl:dr takeaway is this bug is widespread, has the potential to do significant damage, and requires little–to–no technical knowledge to exploit. Because LINUX powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT) the reach of this is very broad.
Also, because Bitcoin Core is controlled by BASH, this vulnerability can impact Bitcoin miners and other Bitcoin related systems, making them potentially a very attractive target to attackers.
We are already seeing attacks in the wild.
The Patch
Some LINUX distributions have released a patch that provides a partial solution to this bug. It is advisable to deploy these patches as quickly as possible and be prepared to deploy another patch once developers & researchers confirm a patch with complete coverage for this vulnerability. Fixes for Android phones and other devices will have to come from the manufactures (if they come at all).
The Gap
There is always going to be a gap between the time that a patch is made available and the time in which you can ensure that it is successfully deployed across your environment.
This is where a compensating control comes into play. In this case, you should have an intrusion prevention system (IPS) or other network-based heuristic monitoring the network traffic to your instances.
Host-level protection can look at the network traffic coming to and from your instances and look for attempted attacks, blocking them before they can be executed and effectively virtually patching the servers. In this case, the exploit is relatively simple to identify and an IPS should be able to prevent any attempted attack from ever reaching the vulnerable software.
What To Do
Our technical post does a great job of detailing some general steps everyone should take to respond to this issue as well as the specific steps that Trend Micro customers should take.
There is currently a patch available for most affected distributions that partially addresses the vulnerability. Work continues on a more complete solution.
This issue is urgent and should be addressed immediately. Fortunately, the response plan is very straight forward.
1. If you’re an end-user, watch for patches for your Mac, your Android phone, other devices you may have.
2. If you’re running LINUX systems, deploy BASH patches immediately. 3. If you’re running LINUX/APACHE webservers using BASH scripts, consider retooling your scripts to use something other than BASH until a patch is available. 4. If you’re the customer of a hosted service, get in touch with them to find out if they’re vulnerable and find out their remediation plans if they are. |
|
Your next step to protect your servers should be:
|
|
For vulnerable desktops (such as Linux and Mac OS X):
|
|
Trend Micro Customers
Trend Micro customers should refer to our knowledge base article on our support site. It’s the go-to page for all of our products and how this vulnerability relates to them. Please continue to refer back to this page as the situation evolves we will continue to provide updates there.
What protection does Trend Micro has in place for this vulnerability?
Trend Micro Deep Security customers must apply the update DSRU14-028 and assign the following rule:
If you’re not already a Trend Micro customer, you can download or sign up for our Deep Security product which is being updated to provide protections for this vulnerability from attack.