• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Security   »   What You Need To Know About Shellshock, aka the “Bash Bug”

What You Need To Know About Shellshock, aka the “Bash Bug”

  • Posted on:September 25, 2014
  • Posted in:Security
  • Posted by:
    Mark Nunnikhoven (Vice President, Cloud Research)
2

The Bug

This week brings us another wide spread, critical vulnerability that required immediate attention. Perhaps even larger in scope than Heartbleed, Shellshock affects a very common open source program called “bash.”

Bash is a command shell commonly deployed on Linux, BSD, and Mac OS X. CVE–2014–7169 provides the details.

The tl:dr takeaway is this bug is widespread, has the potential to do significant damage, and requires little–to–no technical knowledge to exploit. Because LINUX powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT) the reach of this is very broad.

Also, because Bitcoin Core is controlled by BASH, this vulnerability can impact Bitcoin miners and other Bitcoin related systems, making them potentially a very attractive target to attackers.

We are already seeing attacks in the wild.

The Patch

Some LINUX distributions have released a patch that provides a partial solution to this bug. It is advisable to deploy these patches as quickly as possible and be prepared to deploy another patch once developers & researchers confirm a patch with complete coverage for this vulnerability. Fixes for Android phones and other devices will have to come from the manufactures (if they come at all).

The Gap

There is always going to be a gap between the time that a patch is made available and the time in which you can ensure that it is successfully deployed across your environment.

This is where a compensating control comes into play. In this case, you should have an intrusion prevention system (IPS) or other network-based heuristic monitoring the network traffic to your instances.

Host-level protection can look at the network traffic coming to and from your instances and look for attempted attacks, blocking them before they can be executed and effectively virtually patching the servers. In this case, the exploit is relatively simple to identify and an IPS should be able to prevent any attempted attack from ever reaching the vulnerable software.

What To Do

Our technical post does a great job of detailing some general steps everyone should take to respond to this issue as well as the specific steps that Trend Micro customers should take.

There is currently a patch available for most affected distributions that partially addresses the vulnerability. Work continues on a more complete solution.

This issue is urgent and should be addressed immediately. Fortunately, the response plan is very straight forward.

1. If you’re an end-user, watch for patches for your Mac, your Android phone, other devices you may have.

2. If you’re running LINUX systems, deploy BASH patches immediately.

3. If you’re running LINUX/APACHE webservers using BASH scripts, consider retooling your scripts to use something other than BASH until a patch is available.

4. If you’re the customer of a hosted service, get in touch with them to find out if they’re vulnerable and find out their remediation plans if they are.

Your next step to protect your servers should be:

  1. Make sure that you have an IPS deployed in front of any vulnerable servers and that IPS is enabled and actively blocking exploits for CVE–2014–7169. Deep Security is available in a fully functioning trial (software or service—) that can immediately help customers.
  2. As patches become available, be sure to deploy them as quickly as possible to ensure layered coverage (in conjunction with your IPS).
  3. Continue to monitor the situation as it evolves.

For vulnerable desktops (such as Linux and Mac OS X):

  1. Temporarily switch your shell to one without this vulnerability. This vulnerability currently only exists in bash, other shells are unaffected. Here’s an how-to for Mac OS X.
  2. Once a patch is made available for your operating system, deploy it.

Trend Micro Customers

Trend Micro customers should refer to our knowledge base article on our support site. It’s the go-to page for all of our products and how this vulnerability relates to them. Please continue to refer back to this page as the situation evolves we will continue to provide updates there.

What protection does Trend Micro has in place for this vulnerability?

Trend Micro Deep Security customers must apply the update DSRU14-028 and assign the following rule:

  • 1006256 – GNU Bash Remote Code Execution Vulnerability

If you’re not already a Trend Micro customer, you can download or sign up for our Deep Security product which is being updated to provide protections for this vulnerability from attack.

Related posts:

  1. Deep Discovery – Alerting you to Shellshock exploits
  2. Patch Your Servers, Your Phones and your IoT devices?
  3. The Shellshock vulnerability, aka the “Bash Bug”
  4. Situation Update: Bash Vulnerability (aka “shellshock”)

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.