Many people have been asking me about the recent Shellshock exploit, so I wanted to share some of what I know to help you protect your company and/or your customers. (FYI, I am President and CEO of Eagle Eye Networks.)
Shellshock was originally announced on September 24th, 2014. It is still a very real threat and it can negatively impact not only IT systems, but physical security solutions as well. Just in the last couple of days the anti-malware group “Malware Must Die” posted that the Mayhem virus is using the Shellshock vulnerability to scan for and infect vulnerable Linux and UNIX servers.
- Shellshock is a vulnerability in the Unix Bash shell which is used as the default command shell on many operating systems including Linux, variations of Unix, and Apple's OSX. Additionally many network appliances use embedded Linux and may be at risk as well.
- Shellshock was rated a 10 out of 10 severity level by The National Institute of Standards and Technology. (Heartbleed was rated a 5). Shellshock was also rated low complexity, which means it can be easily exploited.
- Shellshock allows a hacker to hijack a system and execute code and commands as though they were a legitimate user - without authentication. The attacker could insert code into a targeted computer and control it remotely - accessing files, running programs, even copying or deleting data.
- While Heartbleed only affected servers, Shellshock impacts servers, workstations and other Internet-connected devices. Linux systems used as access control systems, security systems, or as cameras systems are often not as protected as Linux systems in datacenters.
- While Heartbleed was an information disclosure bug, Shellshock attacks are believed to have included DDOS, malware, and data scanning. The New York Times estimates that 70% of machines connected to the internet could be impacted.
- In contrast to Heartbleed, where the solution was as simple as changing your passwords and upgrading your servers, with Shellshock it could be much more complex. Because Shellshock affects lots of embedded devices, it may require firmware upgrades in order to apply the necessary patches.
- If you're running a PC WITHOUT any ssh, rlogin, or any remote desktop programs, you're probably safe since the attacker can’t get to your shell remotely. If you have a firewall and all these ports are blocked you could be safe.
- The most serious problems are for devices such as routers, appliances and switches that use embedded Linux. Older, unsupported models may be impossible to patch and thus vulnerable to attacks. If you really want to be protected you may need to replace this equipment or completely disable all remote access.
- Web servers or video surveillance systems that have a web interface are potentially highly vulnerable and need to be patched immediately. The vulnerabilities are real.
- If you’re using a hardware solution (NVR, DVR, Appliance) and the vendor has not notified you of a solution be sure to contact them for instructions and guidance on how to fix this vulnerability or to learn if you are exposed. If you installed your VMS as software, you may not be able to get help from the vendor, but should take this vulnerability very seriously. If you are using software (VMS) on Linux you need to take inventory of your situation and patch your OS.
It is vital for physical security resellers and integrators, and internal support staff to stay up-to-date on cyber security attack vectors that can potentially impact the systems that they sell or support. More and more, end users are expecting their integrators to be responsible for this service.
As a managed cloud service, Eagle Eye Networks’ security team immediately patched the Eagle Eye Video Security Platform and all of our customers were immediately protected.