Shellshocked? Better Check! Bash Shell RCE Vulnerability Exposed
Vulnerabilities are becoming a part of our daily email alerts. More technology resources has led to a correlating rise in more attempts to expose and attack those same resources. With many still reeling from the Hearbleed SSL vulnerability that was found earlier this year, we are back on the defensive with the just announced Shellshock Bash vulnerability.
Remote Code Execution Risk
This particular vulnerability moves up the risk list quickly as it exposes the opportunity to perform remote code execution. For hackers, this is the panacea for exposures as it creates a chance to turn a vulnerable resource into their own playground if enough control can be garnered.
At this point there are not many known large scale instances where this has been exploited, but it will be inevitable as the day rolls on that we see attackers begin to build to leverage this potential weakness.
All About Shellshock
When you have a vulnerability, you inevitably have a great read from Troy Hunt. This is no exception as Troy has written up a great post on the ins and outs of the Shellshock vulnerability and how you can check your resources for exposure.
We will be seeing lots over the coming days as vendors line up to issue various patches and mitigation techniques to reduce the attack surface for this issue. At this point, it is difficult to say what the direct risks are, so it is imperative that you and your teams get in contact with vendors.
VMware has noted that they are aware, and investigating this issue which could affect a number of their virtual appliances. This will very certainly be just the beginning of the posts to attend to this problem.
Patch All The Things!
As the famous Hyperbole and a Half meme goes, we need to “Patch all the things!” which brings up a powerful point on infrastructure management. These are the type of situations that remind us of the need to embrace configuration management, orchestration, and other tools to centrally and programmatically deal with system configuration.
If you haven’t already investigated management tools such as Puppet, Chef, Ansible, vCenter Orchestrator, vCloud Automation Center, System Center Configuration Manager, then now is the time to do so. As you begin the process of rolling out patches and configuration changes to physical and virtual environments, it doesn’t take long to see the value of having it scripted and centralized.