In late September, the news broke about a new vulnerability in the widely used Bourne Again Shell (Bash), which the security community called "Shellshock". Bash is present in most Linux and Unix distributions as well as Apple’s Mac OS X.
According to Palo Alto Networks, the issue is only exploitable by authenticated users. The only way to fully prevent exploitation is to upgrade Bash on the system to a non-vulnerable version.
"The good news is that this vulnerability was disclosed responsibly and patches are available for most platforms on the day of the public disclosure. The bad news is that this vulnerability is going to have a very long tail. Bash is the default shell for the most-popular Linux variants and every version of the software stretching back over two decades is vulnerable. Well-maintained systems will be patched today, but that dusty old system in the networking closet might never get the update," stated the company, warning that network devices, embedded systems and Internet-connected devices like IP cameras often run Linux and could be vulnerable.
Palo Alto Networks says that systems are only remotely exploitable if they run an application which makes Bash accessible over the network. "The most-common exploit scenario seems like it will be web servers running Apache and using CGI scripts," stated the company.
Palo Alto Networks says patches are available for: RedHat, Debian, Centos, Ubuntu and Novell.
CyberArk calls Shellshock a more serious vulnerability than Heartbleed. According to the company, one of the largest industries which is now considered vulnerable is the energy sector, which has SCADA and industrial control systems are largely built on UNIX technology.
"Shellshock allows attackers to execute code remotely, leaving organisations susceptible to unauthorised processes or commands on target machines. Zero-day vulnerabilities like this are ideal entry points for a classic advanced persistent threat,” said Dan Dinnar, Vice President for Asia Pacific at CyberArk. “Once an attacker exploits a zero-day to bypass security defences, they look for ways to jump beyond the reach of the zero-day and that is almost always by exploiting privileged accounts. Organisations need to focus on securing and monitoring activity for these accounts to limit the scope and damage of a breach by cutting off an attacker’s ability to move laterally from an affected machine to others in the network. ”
From a privileged account security perspective, CyberArk recommends that businesses:
Harden Unix servers
Organisations should harden their Unix servers. Organisations need to remove unnecessary root privileges, while tightly controlling or restricting shell capabilities when needed. This means that only authorised commands can be run, rather than those injected by an attack, such as through Shellshock.
Monitor privileged account behaviour
Exploited zero-day vulnerabilities lead most often to privileged credential theft as a way to move beyond the vulnerable machine. To identify this lateral movement, organisations should monitor account activity for irregular behaviour of privileged accounts.
No comments:
Post a Comment