Today a new vulnerability was discovered called “Shellshock,” that targets BASH, a popular software widely used to control the command prompt on many *nix computers. Shellshock has the potential to wreak havoc on websites, web servers, PCs, routers and more because it enables hackers to gain complete control of an infected machine, which is bad news for consumers and enterprises everywhere. Hackers with this power can disrupt business and cause an organization to suffer from web site attacks, network shutdowns, lost data – not to mention the cost of operational down-time, lost customers and patching such a vulnerability.
ShellShock is a logical vulnerability that does not need to bypass “ASLR” or other exploit mitigation techniques. Therefore ShellShock is extremely dangerous because attackers can simply attempt to run a shell command on the remote machine without the need to know anything on the victim’s system.
It’s not surprising that it only took hackers a few hours once the vulnerability was announced to start exploiting the newly identified bug using a fast-moving worm. These worms scan for vulnerable systems and the damage caused is largely left up to the hacker’s imagination.
But perhaps what’s more amazing than the attack itself is how long it took for this vulnerability to be identified? 22 years! Imagine how this vulnerability could have been used in the last 22 years.
While hacking traditional computers has become increasingly difficult, mobile devices are still relatively unprotected and enable attackers to access internal networks easily. If a vulnerability like Shellshock can go undetected on a mature platform like Linux, imagine what vulnerabilities exist on the relatively immature mobile operating systems. These mobile attacks are happening in the wild – they are simply going undetected, just like Shellshock.
Is your mobile device at risk?
Zimperium Security Labs has done thorough research to determine what systems and devices this vulnerability exploits. We believe it is mostly limited to server side infrastructure with these 3 preconditions: Linux, BASH running up to and including version 4.3 and web servers that use CGI scripts to accept web browser access. Some routers may also be vulnerable to this command remotely – make sure that your management console is only accessible via your LAN.
We believe that very few Roms of Android devices may be susceptible to this attack. If you want to find out if your Android device is vulnerable, check out the Zimperium Shellshock Vulnerability Scanner by downloading here with your Android device. This app will determine if your mobile device is running vulnerable version of BASH or apps that includes BASH process, which exposes your mobile device to the ShellShock vulnerability.
We will continue to follow this attack. Check back for more details!
If you are concerned about your smartphones and corporate network safety: contact us for free evaluation of zIPS our Mobile IPS which is part of Zimperium Mobile Security System.