Shellshock Response and Mitigation
The recently disclosed bash weakness (termed Shellshock or The Bash Bug) rates among the most severe security vulnerabilities in memory. Exploits like this are measured by the security industry through a few metrics, one of the most common being the CVE (Common Vulnerabilities and Exposure). Shellshock earns a CVE severity of 10 (out of 10) for a couple important reasons:
- It permits unauthorized remote code execution without validation on a target system
- It carries an extremely low level of difficulty in terms of both discovery and usage
Based on what is currently known about this vulnerability, we anticipate the following likelihoods in the event of an incident:
- Threat propagation will likely be rapid, and will come through a mainstream application vector (such as web or email)
- Threat network footprint will likely be significant and recognizable
- Countermeasures will potentially be unavoidably fragmented based on diversity of vectors and involved platforms—and so it's unlikely that a single countermeasure will address all potential targets and vectors fully
Based on these assumptions, an effective Shellshock response should be built on the following priorities (in order):
- Early recognition of active discovery or exploitation activities
- Rapid isolation of at-risk systems from attacking sources
- Efficient and accurate deployment of countermeasures—apologies here for being vague, but these will vary based on unique at-risk use cases and platforms used by a network
- Restoration of trust to compromised hosts
The Novacoast Incident Response Unit has proven expertise in successfully managing and remediating security incidents of the size and scope of this vulnerability. We stand available to assist when and where needed.
For a more in-depth analysis of the bug and how it can be exploited, a good summary has been published by Symantec here. Another good resource is the US-CERT (The United States Computer Emergency Readiness Team).