Monthly archives: September 2014

“Shellshock” Bash exploit is bad, but not the end of the world. Bad journalism.

Posted on September 25, 2014 Comments

Yes, the Bash exploit is bad. I am not trying to say that it is not potentially dangerous. You should update your system as soon as possible.

With the headlines though, you would think the entire internet is going to fall apart. The BBC is calling it ‘Deadly serious’ and ‘The worst bug ever to hit the internet.’ The bug now even has its own bleeding logo and a nickname ‘Shellshock.’ Perhaps the most ridiculous thing I’ve come across today though is on CNN money: ‘Bash bug could let hackers attack through a light bulb.’

The CNN article is the worst I’ve read on a computer related security issue in a long time. And it’s spreading everywhere. Fear mongering for clicks.

The bash bug is only exploitable from remote (besides Shell access) through an application that interfaces with the shell and allows unfiltered user input. Red Hat already released research that proves this. By default mod_php, mod_perl, and mod_python are used in most popular distros and are not ran as CGI. No one will be exploiting any of the vanilla Red Hat/CentOS/Debian/Ubuntu installations. Therefore, one is not automatically vulnerable to being exploited from the outside by having an outdated version of bash.

I tried to find some stats on the number of users running scripts as CGI but it was hard to come by. I cannot say that “most web servers” won’t be affected by this but given how users generally stick with defaults, it’s not responsible to act as though the whole internet is vulnerable from remote either as these articles would have you scared to believe. None of my servers were penetrable from the outside to begin with even if I had not applied the patch. I suspect similar for others. That’s why when I hear that this is “worse than heartbleed”, I disagree. With Heartbleed, anyone and any service running OpenSSL was vulnerable. That is clearly not so for ‘Shellshock.’

A further example of bad fact checking and research in the media is within this quote:

One of the articles mentions that CPanel which publicly has a ‘default’ webpage using CGI could be a threat and makes it seem as if it already is. “It‘s things like CGI scripts that are vulnerable, deep within a website (like CPanel’s /cgi-sys/defaultwebpage.cgi),” Graham wrote.

Yet, I tried to see if the bash exploit worked and it does not. Why?

“Our internal testing showed that /cgi-sys/defaultwebpage.cgi was not vulnerable by this exploit. It is not written in bash and does not make any calls to bash.” — cPanel

So.. did the security researcher making this claim even bother to try seeing if that particular script was exploitable? The reporters obviously didn’t verify either. It’s bad to imply that an application is vulnerable when it is not. That’s also further proof that simply running CGI scripts alone does not render you a sitting duck.

In short: update your server/computer/phone, but don’t panic. Your lightbulb is not going to be hacked, your oven won’t catch fire. After all, the world we live in isn’t Megaman Battle Network: