It’s been over a week now since the remote code execution vulnerability affecting the bourne again shell (“bash”) was made public.
Since then, we’ve seen a classic race underway between attackers seeking to exploit the vulnerability and defenders working to protect against it and deploy patches.
With all the activity and updates, now is a good time to pause and take stock of the situation. There are patches and there are attacks. And while the situation is serious, it’s not a crisis. As long as people continue to stay focused on taking active steps to protect themselves, it should continue to be a serious situation but not a crisis.
Where we are now
In the past week we have seen patches for the bash vulnerability come out. We also have seen people working to protect against attempts to attack the vulnerability using technologies like vulnerability shielding, Intrusion Prevention System (IPS), and endpoint security. And people are testing and deploying patches promptly.
From an attack point of view, our researchers have documented attackers scanning for the vulnerability worldwide. We have also seen successful attacks around the world, primarily focused on joining compromised systems to botnets to create distributed denial of service (DDoS) attacks. The rate of scanning and the proliferation of malware associated with these attacks are both cause for continued concern.
The most significant development is the emergence of other vulnerabilities affecting bash. A total of four additional new vulnerabilities have emerged since last week. There is no evidence of any attacks yet against these new vulnerabilities and work is underway by vendors to address these.
What we can expect
Most importantly, based on past security situations and the past week, we can likely expect to see more bash vulnerabilities being found and disclosed. When a new technology comes into focus like this, researchers and attackers spend time looking for variants, related issues and new issues. If that technology hasn’t been through a comprehensive, rigorous security review (and bash appears not to have) there are other issues waiting to be found. If the issues are there, they will be found. Bash will likely remain a focus until the store of potential security issues is exhausted, either through a security push, through researchers and attackers finding them all or some combination of both.
We can expect security companies to continue to provide protections against attempts to exploit vulnerabilities that have been disclosed. For example, Trend Micro has rules in place now that can protect against attempts to exploit all six bash vulnerabilities as well as all malware associated with known attacks.
We can expect vendors to continue to work on fixes and provide patches as they’re ready. If issues continue to be found, we can expect a “whack-a-mole” type situation where vulnerabilities are found and fixed over and over until the pool is exhausted. You should be prepared to patch your systems multiple times and take steps to facilitate that as much as possible.
We can expect attackers to continue scanning for vulnerable systems and expanding their scans to include new, attackable vulnerabilities. We can also expect attackers to expand their attacks to encompass more vulnerabilities as they’re found, and to utilize more kinds of malware and to utilize compromised systems for more than just DDoS attacks.
Most importantly, over time, we can expect scanning to result in attackers using vulnerable systems as an entry point for more advanced, targeted attacks. While we won’t hear about these attacks in the near term, in the coming months we can expect to see and learn about more damaging attacks that began from compromises associated with these vulnerabilities.
What you need to do
Most importantly, don’t panic. Security companies and vendors are on the case and working to keep pace with the evolving and changing situation.
Putting multiple layers of defense in place, and deploying patches when they are available are the most effective things you can do. If you are able to replace bash with another command shell you may want to evaluate that option.
We will be providing a webinar on Tuesday October 7, 2014 at 1PM Eastern Daylight Time (5PM UTC) where we will discuss the current threat environment and help you better understand your risks and how you can best protect yourself. You can register for that here.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.