Sales
0161 215 3814
0800 953 0642
Support
0800 230 0032
0161 215 3711

Heartbleed: Bourne Again?

There’s a new bug in town, and it’s got the internet all of a bother. But is the Bash vulnerability, dubbed ‘Shellshock’ (a piece of code in a really common piece of Linux software), actually Heartbleed: The Second Coming? Unfortunately, bleeding hearts or not, it could still affect you, so if you’re a Linux or Apple Mac OS X user, then don’t be bashful – read on and find out if you need to save your system!

bash_heartblood

Hold up, what actually is Bash?

In tech – Bash (Bourne Again SHell) is a Unix Shell written as a free software replacement for the Bourne Shell.

And in English – Essentially it’s best known as the command interpreter for Linux systems; which is most easily described as the flashing cursor on your screen before you type. Lots of programs will run Bash in the background, or use it for remote access and certain other processes.

So basically if you use Linux or Apple Mac OS X (both of which run on Unix-like operating systems), you’ll almost certainly have this shell lurking somewhere, even if you haven’t actively chosen to use it yourself  – it’s one of the most installed utilities on this system.

What’s the situation right now?

Attackers have been configuring some specific “environment settings” in an improper way, using Bash to execute the code hidden within these environment settings.

It’s essentially an extra bit of code that’s causing a vulnerability – called CVE-2014-6271 – after it’s stuck on the end of the regular Bash code. This is probably with the intention of creating a botnet – a network of compromised computers that reach out to each other to mine for personal information, which they then send back to the hackers.

From what we’ve seen so far through our own testing, it looks like you can’t exploit much without having prior access to the system, so anyone wanting to use the flaw would also have to find a way to get into your system/have been in there already. As our CEO, Lawrence Jones says, “It’s like taking a door off by removing the hinges; they can only be removed from the inside”.

So – as it stands – it seems unlikely that many systems will be vulnerable through arbitrary remote command execution – i.e. external hackers chancing it. A lot of the existing proof of concepts currently out there are specially designed to show how it theoretically could be compromised, rather than a working example of it actually compromising the average system.

The patch that’s being issued – in theory – blocks the place where the hackers’ code would be added in so there’s nowhere for the hackers to add the extra code in; although some are saying that it doesn’t totally cover you, so there are talks of a second patch.

Is the new guy trying for Heartbleed’s throne?

Across the internet you’re probably hearing how this is Heartbleed 2.0, and that it’s basically going to destroy us all and take over the web to rule as our new dark overlord. Well, the internet does love a good scandal… but we’re probably not quite at that stage yet.

The things that really put the fear in everyone with HB were the scale of it, how long it had gone undetected, and the fact that you couldn’t really tell if it was in your system. Right now it’s too early to be able to say how many machines will be affected, but potentially/hopefully it’s not in the same ballpark, and if everyone gets on it and updates/patches quickly that will help. Also, Shellshock isn’t quite the ninja that HB was – you can actually see when they’re scanning your server to check if their vulnerability is working. Within an hour of HB being discovered it had already had loads of active exploits, and that’s not really the case here.

And what are UKFast doing?

Right now we (UKFast we, not the royal we) haven’t yet been able to replicate the flaw in a production environment; the people who are attempting to prove the vulnerability are doing it by inputting the already vulnerable code into the system, but the only active exploits that have worked in the wild so far are on systems that serve content in an old-fashioned way, and are probably just generally vulnerable.

We began testing last night when we learned about the bug, and haven’t found any UKFast production environments that are vulnerable externally without prior authentication taking place. The problem is that now that the world is aware of the potential the vulnerability is providing, it’s possible that at some point this will become possible on more systems.

We’d rather be safe than sorry anyway, so we’re going to apply updates with the patch over the next 24 hours across our systems. The update will be seamless, won’t cause any downtime for you, and shouldn’t have any operational effect on your services. If and when the second patch becomes available, we’ll go ahead and update it too – same rules apply.

How can I protect myself?

Our best advice really, as ever, is to apply the relevant patches and updates being offered by Linux providers and keep checking back for further information as further patches may be released. And as always, general good security practice is encouraged!

You can also run the following command on your server to see if you are vulnerable:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you receive this output, you are vulnerable

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable

this is a test

If you receive this output your server has been patched:

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x'

this is a test

If you have any questions about the security of your solution at UKFast, give us a call on 0800 045 4945 or contact your account manager.

Share with:

Enjoy this article?