Threat Research Blog

The big bad BASH bug

This bug is horrible. It's worse than Heartbleed, in that it affects servers that help manage huge volumes of Internet traffic. Conservatively, the impact is anywhere from 20 to 50% of global servers supporting web pages. Specifically, this issue affects web servers using GNU BASH to process traffic from the Internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the Internet.

This bug allows arbitrary remote code execution on a remote webserver, something that is extremely serious. Why? It allow the attacker to leverage the website in further strategic web compromises, such as watering hole attacks, against website visitors. This is precisely how many targeted attacks occur, with an exceptionally high degree of success.

What can enterprises do? The first step in this problem is to actively scan your infrastructure to identify vulnerable systems and assess overall impact. Most of the major Linux distributions have issued patches for this bug. Alternatively, switching your default shell to something other than BASH will help mitigate this issue.

We have not seen this vulnerability used in targeted attacks yet. There is a high probability that sophisticated threat groups will use this vulnerability soon. It is unknown as to whether these types of discovered vulnerabilities will escalate in the future. Finally, it’s worth noting we have seen the first attack in the wild:

However, this is not necessarily a targeted attack.