Linux and UNIX system administrators are today rushing to patch a new remotely exploitable vulnerability on command interpreters which security experts are warning could be larger than the severe Heartbleed OpenSSL flaw.
The CVE-2014-6271 flaw in the Bash shell - one of the most widely used Linux command-line shells - puts Apache webservers at risk of being compromised if their common gateway interface (CGI) scripts invoke Bash.
The flaw, dubbed 'Shellshock', has already been compared to the Heartbleed bug by a number of security researchers in terms of its ability to affect a wide number of users.
Errata Security's Robert Graham said the Bash bug should be considered as serious as Heartbleed due to the enormous amount of software that interacts with the shell, the amount of unknown systems that remain unpatched, and the length of time the bug has been in existence.
"Unlike Heartbleed, which only affected a specific version of OpenSSL, this Bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won't be, is much larger than Heartbleed," Graham wrote in a blog post.
Director of threat research at FireEye, Darien Kindlund, said Shellshock was "worse than Heartbleed" as it affects servers that help manage huge volumes of traffic.
"Conservatively, the impact is anywhere from 20 to 50 percent of global servers supporting web pages," he said.
"Specifically, this issue affects web servers using GNU BASH to process traffic from the internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the internet."
Laura Bell, director and lead consultant of security firm Safestack.io, told iTnews that in terms of hosts and devices affected, Shellshock could be as severe as Heartbleed, but it would be less obvious to those outside the security community.
She said Shellshock should be categorised as a critical issue due to its high impact on attacked systems and the ease with which it is exploited.
"I don't believe we have seen the full extent of this vulnerability's potential impact yet. As vulnerabilities like this are published, a community springs into action to test and extend the published material," she said.
"I expect we will see a number of active exploits, automated tools and extensions to Shellshock in the coming 24-48 hours."
Bell suggested users be on alert for patches, turn off non-essential services that could expose them to attacks, and modify firewalls to protect against remote attacks.
Sysadmins are also being advised to run a simple Bash command to detect if their system is vulnerable.
All versions of Bash through to version 4.3 are vulnerable to Shellshock, due to the command interpreter's handling of environment variables that allow attackers to inject code remotely in many common configurations.
Patch not effective: security expert
A number of Linux distributions have already issued patches for the flaw, but Insomnia security researcher Adam Boileau warned they may not be complete.
“It looks like the patch does not fix every case of environment variables being used to pass on executable code. We are still testing the patch, and hope to have more information on it soon,” Boileau said.
A number of other security experts highlighted the incomplete nature of the fix on the Red Hat Bugzilla page.
Apple was yet to issue a patch at the time of writing. iTnews found Bash 3.2 in Apple OS X 10.9.5 was vulnerable to Shellshock
Shellshock is rated as 10 out of 10 or the highest possible severity rating by the United States National Vulnerability Database. Furthermore, NVD rated Shellshock as a 10 on the scale when it comes to both impact and exploitability.
