While the most urgent focus where the Bash vulnerability is concerned is around Internet-facing web servers, embedded systems and industrial control systems are not exempt from worry.
Experts are concerned about Linux-based industrial control systems and SCADA equipment, in particular, that may be affected and difficult to patch.
“Some gear isn’t even designed to be upgraded. There is a lot of ICS equipment still being produced today that has no firmware update mechanism,” said K. Reid Wightman director of Digital Bond Labs. “Some gear is end of life, and vendors may not produce a patch. ICS and SCADA equipment tend to be in use for 10 or more years before the equipment gets an upgrade. Many vendors stop producing patches before the 10 year upgrade cycle is complete.”
Downtime is also a patching barrier in some cases—often an unacceptable circumstance.
“Downtime is a huge issue,” Wightman said. “These systems can only be patched during an industrial control system’s maintenance window. This might only roll around once per year (and maybe even longer), depending on the control system.”
Those patching challenges may exacerbate what is already a perplexing set of circumstances around the latest Internet-wide bug. The Bash vulnerability was disclosed yesterday by Stephane Chazelas, and immediately Linux distributions went to work on distributing patches to curb the effect of the bug which could allow an attacker to remotely attach executable code to an environment variable that would be executed when Bash is invoked. Reports this morning that the first patches were incomplete were met by equally disturbing reports of active exploits that could lead to a worm or a DDoS botnet.
While Apache servers using CGI scripts, or some Git deployments running over SSH, are likely most at risk, Wightman said the Bash shell is widespread in ICS and SCADA gear as well as embedded devices.
“Many industrial components run Linux and use bash in a way that will be exploitable,” Wightman said. “Industrially hardened network switches, and even some programmable logic controllers (PLCs) and remote terminal units (RTUs) will likely be affected.”
Wightman offered some specific examples that include RuggedCom’s managed Ethernet switch line, EtherTrak’s managed Ethernet switch line, Wago PLCs, and Schweitzer Engineering RTUs that run Linux.
“There’s a long list of potentially affected devices that are used in ICS/SCADA,” he said.
While most ICS gear and SCADA equipment should not be Internet-facing, something that should curtail the impact of Bash in those environments, experts caution that isn’t always the case.
“The vulnerability is identical in IT/OT, however, a disproportionate number of ‘simple’ embedded devices uses CGI + Bash as compared to more modern web frameworks,” said Adam Crain, security researcher and founder of Automatak. “Bash is the most common shell used on Linux systems. A large fraction of embedded devices in ICS/SCADA are Linux based. Not all of these systems are vulnerable because not all of them expose a service that can be used to exploit the bash vulnerability.”
It’s important that engineers examine their assets to determine which components may be making use of Bash, some of which are likely hidden.
“Unless an end user spends the time to reverse engineer the industrial gear, they really have no idea if and how bash may be called by services on the system,” Wightman said. “We have even encountered equipment which runs GNU/Linux and Bash, but fails to disclose this to their customers (which is actually a contractual requirement, since they are making use of software that is licensed under the GNU public license).”