While the most urgent focus where the Bash vulnerability is concerned is around Internet-facing web servers, embedded systems and industrial control systems are not exempt from worry.
Experts are concerned about Linux-based industrial control systems and SCADA equipment, in particular, that may be affected and difficult to patch.
âSome gear isnât even designed to be upgraded. There is a lot of ICS equipment still being produced today that has no firmware update mechanism,â said K. Reid Wightman director of Digital Bond Labs. âSome gear is end of life, and vendors may not produce a patch. ICS and SCADA equipment tend to be in use for 10 or more years before the equipment gets an upgrade. Many vendors stop producing patches before the 10 year upgrade cycle is complete.â
Downtime is also a patching barrier in some casesâoften an unacceptable circumstance.
âDowntime is a huge issue,â Wightman said. âThese systems can only be patched during an industrial control systemâs maintenance window. This might only roll around once per year (and maybe even longer), depending on the control system.â
Those patching challenges may exacerbate what is already a perplexing set of circumstances around the latest Internet-wide bug. The Bash vulnerability was disclosed yesterday by Stephane Chazelas, and immediately Linux distributions went to work on distributing patches to curb the effect of the bug which could allow an attacker to remotely attach executable code to an environment variable that would be executed when Bash is invoked. Reports this morning that the first patches were incomplete were met by equally disturbing reports of active exploits that could lead to a worm or a DDoS botnet.
While Apache servers using CGI scripts, or some Git deployments running over SSH, are likely most at risk, Wightman said the Bash shell is widespread in ICS and SCADA gear as well as embedded devices.
âMany industrial components run Linux and use bash in a way that will be exploitable,â Wightman said. âIndustrially hardened network switches, and even some programmable logic controllers (PLCs) and remote terminal units (RTUs) will likely be affected.â
Wightman offered some specific examples that include RuggedComâs managed Ethernet switch line, EtherTrakâs managed Ethernet switch line, Wago PLCs, and Schweitzer Engineering RTUs that run Linux.
âThereâs a long list of potentially affected devices that are used in ICS/SCADA,â he said.
While most ICS gear and SCADA equipment should not be Internet-facing, something that should curtail the impact of Bash in those environments, experts caution that isnât always the case.
âThe vulnerability is identical in IT/OT, however, a disproportionate number of âsimpleâ embedded devices uses CGI + Bash as compared to more modern web frameworks,â said Adam Crain, security researcher and founder of Automatak. âBash is the most common shell used on Linux systems. A large fraction of embedded devices in ICS/SCADA are Linux based. Not all of these systems are vulnerable because not all of them expose a service that can be used to exploit the bash vulnerability.â
Itâs important that engineers examine their assets to determine which components may be making use of Bash, some of which are likely hidden.
âUnless an end user spends the time to reverse engineer the industrial gear, they really have no idea if and how bash may be called by services on the system,â Wightman said. âWe have even encountered equipment which runs GNU/Linux and Bash, but fails to disclose this to their customers (which is actually a contractual requirement, since they are making use of software that is licensed under the GNU public license).â
securelist.com/blog/research/66673/bash-cve-2014-6271-vulnerability-qa-2/
threatpost.com/bash-exploit-reported-first-round-of-patches-incomplete/108550
threatpost.com/bash-exploit-reported-first-round-of-patches-incomplete/108550
threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521