A vulnerability in the Bourne Again Shell (bash), dubbed “Shellshock,” has become a major security concern and drawn comparisons to the Heartbleed bug. The bash vulnerability scored a 10 on the Common Vulnerability Scoring System (CVSS), and an initial patch did not effectively address the flaw.
The OS command injection vulnerability was made public on Wednesday after being discovered by Stephane Chazelas of Akamai last week. As a Unix shell flaw, Shellshock could affect any computer running Linux or Mac OS, however Josh Bressers, RedHat Product Security Team Leader told Threatpost that the vulnerability applies only to very specific conditions which are not common.
Despite this, the risk is considered high, as the type of vulnerability offers more control to an attacker exploiting it than an OpenSSL bug like Heartbleed. Andy Ellis, Chief Security Officer of Akamai, notes in a blog post that Shellshock, with its original failed attempt at a fix, “presents an unusually complex threat landscape as it is an industry-wide risk.”
The post concludes that Akamai does not have evidence of any system compromises. “And unfortunately, this isn’t ‘No, we have evidence that there were no compromises;’ rather, ‘we don’t have evidence that spans the lifetime of this vulnerability,’” Ellis said. “We doubt many people do – and this leaves system owners in the uncomfortable position of not knowing what, if any, compromises might have happened.“
The Heartbleed OpenSSL vulnerability may have been exploited in an attack which netted millions of health care records.
Heartbleed became a protracted security issue despite a relatively easy fix, and rushed attempts to address it actually increased exposure, in some cases.