Is the bash bug, shellshock, worse than the heartbleed bug? There is some debate on the topic, however it is likely that the bash bug will be worse because the attack surface is so large and the exploit can lead to an infinite amount of secondary attacks. Additional reading here and here.
First of all, heartbleed is not in the past. Many sites that were affected by heartbleed were patched, but there are still old certificates in use that could have been compromised. The problem is that as an end user it is difficult to know for sure what is safe or not. SSL has always been an enigma for users who have been trained to look for a lock and then trust the lock. That mantra has not really changed. After all, it really is the site owner’s responsibility to have fixed the bug and updated their certificates. If their traffic is being intercepted and a credit card number is stolen, consumers have plenty of empowerment to only be inconvenienced by the experienced. All that said, heartbleed’s main attack vector was to allow for encrypted traffic to be decrypted. The subsequent exploits were left to the attacker such as whether they wanted to use credit card information, PII, or pull passwords that could be used in other attacks. An attack would most likely be tailored specifically to an organization which reduces the likelihood of scripts taking advantage.
The bash bug on the other hand can easily lead to all sorts of exploits, much deeper and potentially long lasting. Leveraging the bash bug, an attacker could gain control of a device such as a router, install legitimate but malicious intentioned software such as a packet analyzer, include a back door or an additional account so they can return to the device later, and then fix the bash bug on the device, closing the hole and allowing them to maintain their presence. The device can then be used to siphon passwords or as a platform to launch additional attacks on the inside of an organization. A subsequent scan or audit may show that the device has been patched, and it may not be included in other remediation efforts. All of the above is something that could be scripted and executed across thousands of devices in hours. Automated attacks can be indiscriminate.
At this time we are still in the early stages of the bash bug. Some vendors do not have patches out yet. It remains to be seen whether some will ever have patches out, in particular home routers which are often abandoned by the manufacturers in favor of selling newer hardware rather than supporting old hardware. Inside a network there are also many exploitable things.
One thing that this should teach all of us is that relying on “other people” to read code is not really working as a model for security. Sure, a product may have an open source, but that does not automatically mean that it is secure, or even that effort has been put in to ensure the ongoing security of a product after every change to the code.
No one is an authority in this bug yet. Some of the patches have issues, the first worm has just started making the rounds, and information is still flowing regarding easy first targets. Chi Engineers are staying up to date as this progresses and can help with your testing and patching. Give us a call!
Paul Comfort
Senior Systems Engineer
Chi Corporation
@PCComf
