Vulnerabilities discovered in 25 year old program
Developers have discovered a series of vulnerabilities with the potential to affect a substantial number of computer systems and web servers, said Charles Hedrick, University director of Instructional and Research Technology.
The vulnerabilities, known as Shellshock, are in a program called Bourne Again Shell, said Val Red, a system administrator with the Engineering Computer Services.
A shell is the user interface operating systems use, according to techtarget.com.
Some operating systems use BASH, which was released in 1989, as a command line interface, said Michael Gergel, the University director for Information Protection and Security in an email. Shellshock is a set of exploitable bugs in BASH that allow attackers to launch their own commands.
BASH is normally part of Linux, or the Mac operating systems, and is often a part of web servers, Hedrick said. Windows computers do not use it.
Most people do not use shells due to the ease and comfort of modern graphic interfaces, he said. Servers depend more on this shell than they do on graphic interfaces, which make them much more exposed.
A web server with the vulnerable version of BASH can be forced to run outside commands, Hedrick said. Those commands could reveal private data or delete important information.
Not all systems are open to attack, he said. Only systems running an older version of BASH set up to run Common Gateway Interface scripts by default are at risk.
CGI scripts are used to transfer data to a program and back, according to techtarget.com.
“CGI scripts are almost universal just because they’re vital in providing dynamic content,” Red said.
Dynamic content refers to the user interface, he said. The way a program looks and acts to anyone trying to use it is the interface.
Red Hat Software and other developers have released patches to Shellshock, he said. They have released updated patches as they discovered new vulnerabilities.
University servers are not at risk, Hedrick said. After the first two bugs were announced, Rutgers implemented patches to protect the University community from attack.
Major servers, such as Rutgers Web Registration, are not at risk of attack, he said.
“What we did on our web servers is we made sure we don’t have any CGI scripts,” he said. “If you don’t have any scripts, then problems in BASH don’t matter.”
CGI scripts are unnecessary on those servers, he said. The size and complexity of those systems prevents them from using shell scripts. Some older versions of Apache, a program used in websites, may have these scripts but pose no threat.
But faculty or student servers may be at risk, he said. Modern versions of Apache should not be vulnerable, but if users trigger a certain unspecified feature, their server will use BASH, while with older versions of Apache, BASH is likely run by default.
“That doesn’t mean every web server is going to have this problem,” he said. “But there are a lot of web servers around the University.”
Unpatched systems are at risk, Gergel said. Systems are not at risk if they are not set up to use the shell.
Servers at the University usually have a “deny-by-default” policy that protects them from attack, Red said. Exploiting Shellshock would require a lot of effort on the part of the attacker. Most currently circulating exploits require older versions of BASH.
More bugs are likely to emerge, Hedrick said. These problems would probably fixable, but discovering and patching all of them would take a few days.
The University is making information available to administrators via email as it is released, Gergel said.
“Rutgers has a quick and efficient Computer Incident Response Team that has and will continue to help mitigate any residual risk to our systems post-patch,” Red said.