AlienVault Labs: Hackers Can Launch Shellshock Attacks on VoIP Systems

Even voice-over-IP (VoIP) phone system providers are susceptible to “Shellshock” attacks, according to threat intelligence research firm AlienVault Labs.

Shellshock is a 22-year-old Bourne Again Shell (Bash), Unix-based software exploit that hackers reportedly could use to take over millions of computers.

Several IT security experts have already said the exploit is “worse than Heartbleed,” and AlienVault Labs Director Jaime Blasco pointed out Shellshock could affect VoIP companies too.

“I’m pretty sure that there are a bunch of them (vendors), if not a lot of them, that you can exploit,” Blasco told CSO Online.

Blasco said the Shellshock vulnerability was uncovered last week in a VoIP phone vendor’s session initiation protocol (SIP) server. He also noted that many VoIP vendors use similar servers, and the vulnerability is likely widespread.

“Even if you don’t have the username and password (for the SIP server), you can exploit the vulnerability,” Blasco added.

What do we know about Shellshock so far?

Shellshock is present in GNU Bash versions 1.14 through 4.3 and can be found on web servers.

“The exploitation of this vulnerability relies on Bash functionality somehow being accessible from the Internet. The problem with Bash is that it’s used for everything. On a Linux-based system, Bash is the default shell, and anytime a web-enabled process needs to call a shell to process [an] input [or] run a command, it will call Bash,” Daniel Ingevaldson, chief technology officer at IT security vendor Easy Solutions, told CSO Online.

Many SIP servers run GNU Bash, and Ingevaldson noted the Shellshock exploit lets an attacker trick Bash into executing malicious command code by sending it via the Common Gateway Interface, a component of the SIP server’s administrative interface.

“This vulnerability allows a remote attacker to inject his command into Bash via an environment variable. [Such commands] can download a password file, run a remote shell or really do anything that the attacker wants very, very easily,” he said.

Blasco said a Shellshock attacker could upload malware to the SIP server and gain access to a company’s internal network, depending on the architecture of the phone system. Hackers also could infect components that would allow them to intercept communications.

Several Shellshock patches have been released, but Google (GOOG) security engineer Michal Zalewski said he believes an unofficial patch from Red Hat (RHT) product security researcher Florian Weimer provides “a more durable approach” to the security vulnerability.

“Florian’s fix effectively isolates the function parsing code from attacker-controlled strings in almost all the important use cases we can currently think of,” Zalewski wrote in a blog post.

Share your thoughts about this story in the Comments section below, via Twitter @dkobialka or email me at [email protected].