Shellshock, the Perfect 10 Exploit: Easy to Use, Devastating Impact
A new bug, dubbed "Shellshock," which affects software used in computer systems worldwide, came to light last week. According to the U.S. Department of Homeland Security's United States Computer Emergency Readiness Team ("US-CERT"), "[t]his vulnerability is classified by industry standards as 'High' impact with CVSS Impact Subscore 10 and 'Low' on complexity, which means it takes little skill to perform." In other words, it is easy to use, is present in millions of systems, and is capable of devastating impact and exposing liability risks. Reporters are already comparing Shellshock to the recent Heartbleed vulnerability and saying it could wreak even more havoc.
Vulnerabilities Are Reported All the Time. What Makes This Bug So Bad?
The vulnerability is in the GNU Bourne Again Shell ("Bash"). US-CERT reports that Shellshock potentially enables remote code execution and exploitation of affected Linux, Unix, or Mac OS X systems, meaning that the vulnerability may be exploited from outside company networks by remote actors. In simpler terms, a hacker who takes advantage of Shellshock could download and install malware; delete, modify, or steal information; obtain administrative access; and disable systems. Researchers are also suggesting that Shellshock is "wormable," meaning that a hacker could load a self-replicating worm onto just a few systems and watch the worms replicate across the internet. Such worms could be used as payload delivery mechanisms for remotely installing malware and remote access capabilities onto corporate web servers and other systems, enabling the hacker's subsequent and unhindered access to corporate data and assets.
The vulnerable versions of Bash are used in millions of systems worldwide. The New York Times reports that the vulnerability is prevalent in 70 percent of machines that connect to the internet. Technical commentators are suggesting that Shellshock may affect some network equipment and embedded devices, such as routers, firewalls, and wireless access points. It also affects versions of vulnerable operating systems dating back at least 25 years. "Legacy" computer systems, which are often rarely patched or updated out of fear of harming the system, therefore may be particularly vulnerable. Shellshock may also affect some everyday consumer devices like home wireless routers, cell phones, and "internet-of-things" devices that use Bash and that may not receive update patches with sufficient frequency, if ever. Commentators have suggested that in some devices, the vulnerable software may be embedded in a manner that renders the software incapable of receiving patches to eliminate the vulnerability.
What Is the Legal Significance of This Vulnerability?
While software bugs and malware are typically the domain of the IT function, the U.S. and other jurisdictions are increasingly making timely response to critical risks, like Shellshock, a legal compliance obligation. The HIPAA Security Rules, for example, specifically require covered entities and business associates to "[p]rotect against any reasonably anticipated threats or hazards to the security or information of [electronic protected health] information." 45 C.F.R. § 164.306(a)(2). The Gramm-Leach-Bliley Act (15 U.S.C. §6801, et seq.) and its implementing regulations, Massachusetts's data security regulations (201 CMR 17.00, et seq.), and the Payment Card Industry Data Security Standards ("PCI-DSS"), to name just a few laws and industry standards, impose similar obligations. The agencies that enforce these laws, such as the U.S. Federal Trade Commission, are actively pursuing enforcement actions against entities for failing to timely remedy known security vulnerabilities. Accordingly, companies in just about every industry are well-advised to make sure that appropriate action is taken to address Shellshock.
In this age of increasing outsourcing and reliance on third-party vendors to host, operate, and maintain IT and data assets, it is the customer's responsibility to ensure that these legal obligations are met. Accordingly, such companies should confirm, in writing, with their service providers: (i) that assets vulnerable to Shellshock have been identified; (ii) that patches are being put in place in a timely manner; and (iii) that other reasonable measures and controls, which may include measures referenced below, are being followed and implemented to detect unusual network activity or attacks.
Like the Backoff malware and Heartbleed bug before it, Shellshock is another in a series of events that brings increased scrutiny to corporate privacy and data security practices. In addition to the recommendations outlined above and the technical suggestions below, companies should reassess enterprise-wide privacy and data security policies and procedures to ensure that data is adequately protected and that privacy and data security compliance obligations are met. Any such review should be directed and supervised by legal counsel to ensure appropriate consideration of all applicable legal obligations.
What Technical Measures Should Be Taken?
Companies should immediately evaluate technical measures they can take to mitigate any related harm and potential liabilities arising with Shellshock, including implementing available patches for many versions of Linux systems and Apple OS X that address the vulnerability. Researchers have reported that certain Linux patches may not be perfect, but they do make exploiting the vulnerability more difficult.
Art Ehuan, Managing Director of Cyber Protection Services, and Ryan Johnson, Director of Cyber Protection Services, both at Alvarez & Marsal (a leading global professional services firm), make the following recommendations:
- Apply the Linux patch (or patches for other systems affected by this vulnerability) immediately and give priority to servers that are internet-facing and that accept input from remote users.
- For many companies, Shellshock will affect systems and network equipment provided by third parties. Contact the vendors of those systems and network equipment to determine whether or not the vulnerability affects such systems and network equipment.
- Many vulnerability and web application scanning vendors have released signatures to scan for and detect Shellshock on systems. Conduct in-depth scanning using such signatures in order to determine your level of risk exposure. Where the vulnerability exists and no patch is available, disable the affected service on the vulnerable system.
- Malicious actors are scanning for and exploiting Shellshock over the internet. Intrusion Detection System ("IDS") vendors have released signatures to detect and even block exploitation attempts. Update your IDS signatures immediately in order to detect and respond to exploitation attempts.
Finally, experts largely agree that prompt action to address Shellshock now will be considerably less costly and require less effort than responding to a Shellshock-triggered breach or event later.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Mauricio F. Paez
Todd S. McClelland
Richard J. Johnson
Art Ehuan, Managing Director of Cyber Protection Services for Alvarez & Marsal, and Ryan Johnson, Director of Cyber Protection Services for Alvarez & Marsal, contributed the technical measures to this Alert. Art can be reached at +1.571.331.7763 or at [email protected] Ryan can be reached at +1.919.210.8634 or at [email protected]
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.