MADISON, Wis. (9/29/14)--As if dealing with the recently Home Depot and Jimmy John's breaches weren't enough of a headache, the computer bug specific to the Linux/Unix operating systems has the potential to create "chaos and mayhem" for credit unions, according to one industry security expert.
A critical vulnerability, dubbed Shellshock, has been found in the GNU Bourne Again Shell (Bash), which is a command prompt used in most Linux/UNIX operating systems and Apple's Mac OS X. Attackers can exploit the vulnerability to take complete control of a targeted system. Credit unions should ensure security patches are promptly installed as soon as they are made available by vendors, according to a CUNA Mutual Group risk alert issued Friday.
The Federal Financial Institutions Examination Council (FFIEC) has issued guidance on the vulnerability. (See related article: FFIEC offers guidance on Shellshock computer bug.)
Also, the Department of Homeland Security has issued an alert that identifies systems affected by Shellshock. They include:
Homeland Security has classified the Bash vulnerability as level 10 in severity, which is the highest level. Compounding the problem is that bash is rated "low" on complexity, meaning it takes little skill to exploit.
The bug could leave credit unions running those operating systems open to exploitation by specially crafted attacks, according to Brandon Edwards, vice president of SilverSky Labs, a provider of cloud security solutions and a CUNA Strategic Services alliance provider. The bug is projected to be much more widely distributed than the Heartbleed bug discovered earlier this year and should be addressed immediately, Edwards said.
Heartbleed, discovered in April, is a bug that affected open-source encryption software called OpenSSL. The bug put the data of millions of people at risk as OpenSSL is used in about two-thirds of all websites.
"This is without a doubt a much bigger deal than Heartbleed," said Edwards. "The bug is incredibly easy to exploit, vulnerable programs are more widespread and the consequences are more severe. Expect chaos and mayhem as the bad guys now rush to take advantage of it before it is patched. Major breaches are likely in progress as we speak."
Desktops, servers, and embedded devices could all be susceptible, because Bash is so prolific, Edwards explained. Because the vulnerability is relatively easy to exploit, attackers can exploit the vulnerability to distribute malware or hack into vulnerable servers. Once inside a system, attackers can steal confidential data.
Shellshock will likely continue to live on in unexpected places where Bash has not been identified, or which have no easy mechanism for patching.
In contrast to Heartbleed, in which exploitation was very specific and often complicated, with impact changing on a case-by-case basis, Shellshock lets attackers directly execute commands/code and take control of the system, and exploitation is universal and incomprehensibly easy, Howard said.