Shellshock: Making sense of the question, “Am I vulnerable?”

It seems like such a simple question, “Am I vulnerable to Shellshock,” but it’s surprisingly complicated. Lots of Internet forums suggest pasting some magic code into your command line. If the code outputs “Vulnerable” then you need to upgrade. Unfortunately, it’s not that easy.

There’s an ongoing dance among security researchers, OS venders, the Bash authors, and attackers. Here’s what we know today.

  • It’s not just hype. Shellshock is a real problem; there’s a very good chance that your servers are vulnerable, and you do need to act. It is being actively exploited.
  • Shellshock is not a single vulnerability (anymore), but a set of related vulnerabilities. Some have been patched and some have not. Some operating systems have deployed some patches. Any unpatched version of Bash is definitely vulnerable.
  • There’s a difference between exploits and vulnerabilities. Those magic shell commands are exploits. Looking for successful exploits is not the same as looking for vulnerabilities. Exploits are often very dependent on the surrounding environment, and they often fail, even if a system is vulnerable.
  • Therefore, address vulnerabilities, not exploits.
  • In some situations, but not in all situations, Shellshock is remotely exploitable. OpenVPN, CGI, and DHCP are known instances. We do not yet know all the situations where it’s exploitable.
  • By the way, you probably shouldn’t paste any code into your terminal unless you know what it does, and even then, it can get tricky.

So what should you do?

  • Don’t invest too much in vulnerability scanners unless it’s just to triage a large environment. If you can upgrade all your systems, do so.
  • Determine what role Bash plays in your environment: Is it installed on remotely accessible systems? Are these critical systems?
  • Check if you’ve applied all available security updates to Bash on all your systems. Prioritize the remotely accessible ones, then the other critical ones, but get to all of them eventually.
  • Sadly, you may have to repeat this process a few times over the next few days as the situation evolves.
  • Some researchers are saying that the Bash code has a lot of problems. The first exploit put a spotlight on Bash, and that means that vulnerabilities are likely to continue to be discovered, and not all of them will be announced. If possible, remove Bash from systems that don’t really need it, or partition off systems that do.
  • Security should be strategic, not just tactical. Once you’re done dealing with Shellshock, contact us for a comprehensive security audit.