What is Shellshock?
Shellshock is a critical application-layer vulnerability found in a widely-used UNIX/Linux program called Bash. The NVD Common Vulnerability Scoring System Support (CVSS) has ranked the vulnerability with a severity score of 10 out of 10 due to its high impact and low exploit complexity. Shellshock is part of a family of vulnerabilities called “code injection” that also includes SQL injection. For example, cyber-criminals can exploit Shellshock to expose sensitive files or install malware that turns the system into part of a DDOS botnet.
What types of systems are affected by Shellshock?
While Shellshock can affect any UNIX/Linux-based system, public-facing web applications are generally the most vulnerable because they are constantly exposed to cyber-attackers. Legacy web applications are the most likely to possess the vulnerability because they often use a mechanism called CGI for executing scripts that rely on Bash.
Why is this so hard to fix?
Enterprises typically have thousands or even tens of thousands of public-facing web applications. This makes it difficult to find a solution that can scale quickly to discover all your web applications and pinpoint exactly which ones are vulnerable. Add in the fact that many of these applications are forgotten marketing sites, or ones that haven’t been used for some time, means that even after enterprises patch their critical sites, they are left with hundreds or thousands of sites still vulnerable – creating a “long tail” security threat.
How can Veracode help?
Veracode is offering a special cloud-based service for identifying Shellshock, based on our Web Application Perimeter Monitoring (APM) technology. This technology is ideally suited to address the scale issue because it’s built on a massively parallel, auto-scaling cloud infrastructure, enabling it to baseline risk across hundreds of sites simultaneously:
- First it discovers all your organization’s web applications – both known and unknown – including those outside your normal corporate IP range, such as sites acquired via M&A or temporary sites hosted with cloud service providers.
- Then it works just like cyber-attackers – using automated crawling to examine all of the pages on your sites for the vulnerability (unlike traditional vulnerability management solutions that inject the signature to only a few well-known directories).
If you are an existing Veracode customer and would like to take advantage of this offer, please contact your Account Executive.
If you are not currently a Veracode customer, please visit our registration page and we'll get in touch with you shortly -- or register for our SANS webinar, "Shellshock: What You Need to Know", to learn more.