Highly critical “Ghost” allowing code execution affects most Linux systems

An extremely critical vulnerability affecting most Linux distributions gives attackers the ability to execute malicious code on servers used to deliver e-mail, host webpages, and carry out other vital functions.

The vulnerability in the GNU C Library (glibc) represents a major Internet threat, in some ways comparable to the Heartbleed and Shellshock bugs that came to light last year. The bug, which is being dubbed "Ghost" by some researchers, has the common vulnerability and exposures designation of CVE-2015-0235. While a patch was issued two years ago, most Linux versions used in production systems remain unprotected at the moment. What's more, patching systems requires core functions or the entire affected server to be rebooted, a requirement that may cause some systems to remain vulnerable for some time to come.

The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that's invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections. Qualys has not yet published the exploit code but eventually plans to make it available as a Metasploit module.

“A lot of collateral damage on the Internet”

The glibc is the most common code library used by Linux. It contains standard functions that programs written in the C and C++ languages use to carry out common tasks. The vulnerability also affects Linux programs written in Python, Ruby, and most other languages because they also rely on glibc. As a result, most Linux systems should be presumed vulnerable unless they run an alternative to glibc or use a glibc version that contains the update from two years ago. The specter of so many systems being susceptible to an exploit with such severe consequences is prompting concern among many security professionals.

Besides Exim, other Linux components or apps that are potentially vulnerable to Ghost include MySQL servers, Secure Shell servers, form submission apps, and other types of mail servers.

It was reported that Qualys researchers enumerated apps they believed were not vulnerable. The list included Apache, Cups, Dovecot, GnuPG, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, and xinetd.

"If [researchers] were able to remotely exploit a pretty modern version of Exim with full exploit mitigations, that's pretty severe," said Jon Oberheide, a Linux security expert and the CTO of two-factor authentication service Duo Security. "There could be a lot of collateral damage on the Internet if this exploit gets published publicly, which it looks like they plan to do, and if other people start to write exploits for other targets."

The bug affects virtually all Linux-based software that performs domain name resolution. As result, it most likely can be exploited not only against servers but also client applications. Word of the vulnerability appears to have caught developers of the Ubuntu, Debian, and Red Hat distributions of Linux off guard. At the time this post was being prepared they appeared to be aware of the bug but had not yet distributed a ready-made fix. People who administer Linux systems should closely monitor official channels for information about how specific distributions are affected and whether a patch is available. Admins should also prepare for the inevitable reboots that will be required after installing the patch.

Update: Red Hat Enterprise Linux 5, has an update here, and readers are reporting a fix is also available for Ubuntu 12.04.

In the meantime, readers can find more technical details about Ghost in the previously mentioned Qualys blog post, as well as here and here.

.

Romanian Hackers Allegedly Used The Shellshock Bug To Hack Yahoo’s Servers

Security researcher Jonathan Hall says he has found evidence that Romanian hackers used the Shellshock bug to gain access to Yahoo servers, according to a post on his website Future South.

The Shellshock bug can be used by hackers to control servers using a vulnerability in Linux and Unix. The problem has existed for over 20 years, but it was only discovered in September. If a hacker gains access to a server using the Shellshock bug, they could see everything that is stored there.

Hall, a technology consultant and Unix expert, outlined in his post the process he used to track down the hacked Yahoo servers. Hall used a Google search to find servers that had been left vulnerable to Shellshock. He discovered that the WinZip.com domain was being used by hackers to track down other servers that could be vulnerable to the bug.

Hall went on to find that Romanian hackers had gained access to Yahoo’s servers, and were gradually exploring the network in search of the popular Yahoo! Games servers. Yahoo’s games are played by millions of people, making them a target for hackers looking to wreak havoc. Through his research, Hall discovered that two of Yahoo’s servers had been breached by hackers, and that more could have already been accessed.

Yahoo’s servers were vulnerable to attack because they were using an old version of server technology Bash. Hall emailed and tweeted Marissa Mayer, as well as a member of Yahoo’s engineering team. Eventually he received a response from Yahoo that confirmed its servers had been breached and that it was working through its incident response process. Hall claims that Yahoo refused to pay him for the discovery because it claims that it is not part of the company’s bug bounty program.

Yahoo has come under fire in the past for its response to security researchers who uncover bugs in its servers. In 2013 the CEO of a security firm was awarded a $25 voucher for Yahoo-branded items after he uncovered three bugs in Yahoo’s online services.

Shellshock Attacks Hit Major NAS Kit; IoT Next?

Security experts are warning that businesses running Internet of Things (IoT) devices could be next in the firing line after discovering what they claim to be the first Bash bug attack aimed at Network Attached Storage systems.

FireEye threat researchers James Bennett and J Gomez claimed they spotted attacks attempting to exploit the Bash remote code injection vulnerability against targets in Japan and Korea, and one in the US.

The attacks gave the hackers a root level remote shell, effectively giving them full access to the contents of the NAS, they said in a blog post.

“NAS systems are used by enterprises to store large volumes of files and house databases, as well as by consumers for personal storage,” they added.

“This makes an NAS an attractive target for attackers given the broad types of data they handle. In this case, the attackers can gain full access the NAS contents as well as execute other commands.”

The attacks in question were launched against popular NAS maker QNAP, which makes personal and business network storage and video surveillance systems for a wide variety of industries.

The firm said in an update that it had now released a patch to fix the issue.

However, the attack could mean other embedded Linux OS devices left unpatched are next in line for the Shellshock hackers, FireEye warned.

“Based on the sheer number of devices which run an embedded Linux OS and the time-to-patch window, we feel the potential for widescale compromise of network-connected personal and business data storage systems is very high at this time,” Bennett and Gomez added.

“As many smart- or connected-devices utilize similar set-ups, this represents one of the first in the wild Shellshock attack against IoT-type devices.”

The Bash bug or Shellshock vulnerability rocked the information security world when it went public last week.

Soon after it was disclosed, security vendors began reporting various attacks in the wild exploiting the vulnerability, resulting in DDoS attacks, malware droppers, data exfiltration, backdoors and more.

It had been claimed that Shellshock may not be as serious as Heartbleed in that there may be complex and varied exploitation paths for each application, making it less attractive and more time consuming for hackers to develop specific exploits

Apple releases bash patch to plug 'Shellshock' security flaw in OS X Mavericks, Mountain Lion, Lion

As promised, Apple on Monday issued OS X bash Update 1.0 for OS X Mavericks, Mountain Lion and Lion, targeting the recently discovered "Shellshock" security flaw originating in the bash UNIX shell.

Following revelations that Shellshock was in the wild, Apple last Friday said that, while most consumers would go unaffected, it was working to patch the problem. That fix was released today for OS X 10.9 Mavericks, OS X 10.8 Mountain Lion and OS X 10.7 Lion.

"This update fixes a security flaw in the bash UNIX shell."

The bug, dubbed "Shellshock" by the computer security community, is theorized to be built in to every version of bash since the system's inception in 1989. A remote attack, nefarious users could potentially issue commands to an affected computer with the intent of gathering information modifying system files and more.

"With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services," an Apple spokesperson said last week, adding that the company is "working to quickly provide a software update for our advanced UNIX users."

Mac owners running Mavericks can download the 3.4MB patch through Apple Support website, as can users operating Mountain Lion and Lion. For Mountain Lion, the fix comes in at 34.3MB, while the Lion download clocks in at 3.5MB. Alternatively, the patch is available through Software Update.

What you need to know about Shellshock (a.k.a Bash Bug)

The Shellshock vulnerability (also known as Bash Bug) will have a widespread impact for any organization or user that has Bash enabled on a server, desktop, or device. This includes over 500 million web servers on the Internet today. Shellshock (CVE-2014-6271 and CVE-2014-7169) is found in Bash, the dominant shell for Unix and Linux (default), and can also be found in Mac OS X, some Windows server deployments, and even Android.

It enables remote code injection of arbitrary commands without authentication, which can then allow malicious code execution that could be used to take over an operating system, access confidential data, or set the stage for future attacks.

Simply put, the vulnerability allows attackers to run malicious scripts in systems and servers, which compromises everything in it. It has the potential to do significant widespread damage, since it affects Linux, BSD, and Mac OS X. Linux alone powers a majority of the servers on the Internet and IoT (Internet of Things) devices.

What is the threat extent and who are affected?
Shellshock creates a weak spot that serves as a backdoor for a hacker to carry out commands, take over a machine, dig into servers, steal data and deface websites. Most computers and Internet-enabled home devices such as routers, Wi-Fi radios, and even smart light bulbs running on Linux OS are most likely affected.

Webcams for example, are often Linux-based and these devices can also be hacked and used as infection vectors. This problem extends to smart devices connected to the Internet of Everything, located anywhere and everywhere, including hospitals, energy sectors, and schools. This means even with a minimal vulnerability in a device could open doors for a potential attack.

What can you do?
Be alert and recognize the scope and scale of Shellshock. Whether it’s as notorious as they say or not, having a healthy paranoia can make you more cautious and proactive about interconnected devices that could be vulnerable to possible attacks. Update all firmware and operating systems, and install security updates. Use Shellshock detection tools or plug-ins to scan likely vulnerabilities and exploits. For system admins, patch your systems immediately and closely track your network activity.

Learn more about the Bash Bug on the attached infographic (click to enlarge):