Tag Archive for: Shellshock

Why Shellshock Remains a Cybersecurity Threat After 9 Years

/in


The Shellshock vulnerability got a lot of attention when it was first disclosed in 2014 — both from the media and security teams. While that attention has waned in subsequent years, the Shellshock vulnerability has not disappeared — nor has attacker attention weakened.

Rather, this vulnerability remains a popular target, particularly in financial services applications. In fact, earlier this year, ThreatX identified attackers attempting to exploit a Shellshock vulnerability in approximately one-third of our customers. These numbers are concerning when considering the severity and age of this vulnerability. How could a vulnerability disclosed nine years ago still be so prevalent in attacks? And why do so many credit unions fall victim?

What Is Shellshock and Why Does It Still Exist?

Shellshock, also known as the Bash bug or CVE-2014-6271, is a vulnerability that researchers discovered in September 2014 in the Unix Bash shell. Deemed a critical vulnerability due to the escalated privileges it provides attackers if exploited, Shellshock existed on billions of devices around the world and caused widespread panic and countless patches in 2014. The panic has subsided, but the vulnerability hasn’t exactly gone away. It still exists in the wild and remains popular because it is relatively simple to launch and deploy and requires little skill or cost from an attacker.

So why does it still exist nearly 10 years later? Three words: bad patch management. Failure to apply patches in a timely manner can leave organizations vulnerable to attacks that exploit known vulnerabilities. The Shellshock vulnerability is a prime example of the consequences of not applying patches promptly. Many organizations are slow to apply the necessary updates, leaving their systems open to attack.

One reason organizations are struggling with patch management is because the process can be complex and time-consuming, especially in large or distributed environments. There may also be concerns about the potential impact of applying patches, such as downtime or compatibility issues with other software. Additionally, some organizations may not have the necessary resources or expertise to effectively manage patching across…

Source…

A Georgia election server was vulnerable to Shellshock and may have been hacked

/in
Closeup photograph of a Georgia voter access card.

(credit: Jason Riedy / Flickr)

Forensic evidence shows signs that a Georgia election server may have been hacked ahead of the 2016 and 2018 elections by someone who exploited Shellshock, a critical flaw that gives attackers full control over vulnerable systems, a computer security expert said in a court filing on Thursday.

Shellshock came to light in September 2014 and was immediately identified as one of the most severe vulnerabilities to be disclosed in years. The reasons: it (a) was easy to exploit, (b) gave attackers the ability to remotely run commands and code of their choice, and (c) opened most Linux and Unix systems to attack. As a result, the flaw received widespread news coverage for months.

Patching on the sly

Despite the severity of the vulnerability, it remained unpatched for three months on a server operated by the Center for Election Systems at Kennesaw State University, the group that was responsible for programming Georgia election machines. The flaw wasn’t fixed until December 2, 2014, when an account with the username shellshock patched the critical vulnerability, the expert’s analysis of a forensic image shows. The shellshock account had been created only 19 minutes earlier. Before patching the vulnerability, the shellshock user deleted a file titled shellsh0ck. A little more than a half hour after patching, the shellshock user was disabled.

Read 14 remaining paragraphs | Comments

Biz & IT – Ars Technica

Shellshock two years on – has your company forgotten about it?

/in
Shellshock two years on – has your company forgotten about it?

It’s just over two years since a critical Shellshock vulnerability was uncovered. But it has far from disappeared…

Read more in my article on the Bitdefender Business Insights blog.

Graham Cluley

Ghost in the (Bourne Again) Shell: Fallout of Shellshock far from over

/in

The long, painful rollout of patches to a security flaw in the Bourne Again Shell (bash) has left thousands of systems still vulnerable, and malware based on the vulnerability continues to spread, according to a number of security experts. But even for organizations that have already applied the patch for what has been dubbed the “Shellshock” vulnerability, the cleanup may not be over—and it could be long and expensive.

Soon after the Shellshock bug was publicly disclosed and its initial patch was distributed, weaknesses in the patch itself and additional security vulnerabilities were uncovered by developers dealing with the issue. And within a day of the disclosure, attacks exploiting the vulnerability were found in the wild. Some of those attacks are still trying to spread—and in some cases, they’re using Google searches to help them find potential targets. Successful attacks may have made changes to the targeted systems that would not have been corrected by the application of the patch.

The problem with Shellshock is similar to problems that emerged after the Heartbleed bug and numerous other vulnerabilities—while organizations struggle to understand the disclosures, how they affect their systems, and how to successfully implement patches, others—including security researchers—race to build proof-of-concept attacks based on them to demonstrate exactly how dire they are. And those proofs of concept often get picked up by cybercriminals and others with bad intent before organizations can effectively patch them—using them to exploit systems in ways that are much longer-lasting than the vulnerability du jour.

Read 12 remaining paragraphs | Comments


Ars Technica » Technology Lab