There were widespread security concerns yesterday after the discovery of an old flaw that could affect web servers and Internet-connected devices – but many in the industry are claiming it presents no immediate threat to bitcoin services.
The vulnerability, dubbed either the ‘Bash Bug’ or the ‘Shellshock Bug’, would allow a malicious access to a UNIX-based device’s operating system via the command line shell – the most widely used of which is bash.
UNIX-based systems include MacOS, Linux versions (desktop and server), popular mobile platforms and embedded systems on other devices that communicate online.
CNET reported that security expert Robert Graham, described it as “as big a deal as Heartbleed” – the OpenSSL flaw discovered in April – given the “enormous percentage of software that interacts with the shell”.
Jeff Garzik, bitcoin core developer and now senior software engineer at BitPay, however, said there is no clear and present danger to bitcoin users.
“Prediction: bash bug NOT bigger threat than heartbleed,” he posted on a Reddit thread.
Garzik told CoinDesk that, while the newly-discovered bug had the potential to be bad, “most online services using bitcoin are far more secure than your average home router”.
He added that the Bash Bug would impact mostly non-bitcoin sites, and was being over-hyped.
“It requires special set of conditions to be exploitable, and home routers and ancient Apache web servers were already Swiss cheese security anyway. I think the practical impact will be much less than the mainstream media is making it out to be.”
At this stage, there are no reports of any exploit of the Bash Bug affecting any bitcoin-related services. So why care at all?
Bitcoin services may potentially be a more attractive target for hackers and thieves than more established, fiat-based services like online banking and PayPal.
There are two historic reasons for this: poor security implementation at some early-stage online bitcoin services, and the reluctance of authorities to investigate or punish digital currency crimes, unless they suspect drugs or money laundering are involved.
Therefore it is best to at least be aware of potential problems developers and services may face.
Yan Chuan or ‘YC’, CTO of exchange BitBays.com, said the bug was “relatively easy for hackers to use”, and recommended all users patch, back up logs, and check systems to see if any attack had occurred.
Because the bug allowed malicious hackers full access to an operating system there was potential for any kind of attack, from stealing bitcoin wallets to installing keyloggers and backdoors.
YC said bitcoin itself would not be affected due to its decentralized structure.
“However, as a centralized provider of exchange or wallet services it is possible to be affected by the bash bug. Due to the presence of this vulnerability, open SSH, HTTP, FTP and other application servers are all at risk of being remotely accessed and controlled by a hacker.”
Since Windows is not UNIX-based, its desktop users would not be affected themselves. BitBays’ platform is prepared, YC continued, but concerned users of other platform might like to ask their exchange or wallet service about the situation if unsure.
The Bash Bug vulnerability stems from a serious security flaw that exists in the bash (Bourne Again SHell) command ‘env‘. It affects the local shell, as well as SSH, FTP, HTTP, and other important services.
YC explained how the bug could be exploited, saying that many web servers send the user’s HTTP request information (REMOTE_HOST), REQUEST_METHOD, QUERY-STRING, etc) stored in an environment variable, to the backend Web framework or CGI scripts.
If this information includes malicious instructions, the next time the server executes bash it will execute the malicious instructions. Thus, the server is compromised.
At present, the popular Apache + PHP and Nginx + wsgi frameworks are vulnerable.
According to Red Hat, which issued its own security advisory, many programs access the bash shell in the background. Several Linux distributions have already made patches available, including Red Hat Enterprise Linux, Debian, Ubuntu and CentOS.
The bug, which has actually existed for more than 25 years before the release of today’s news, could affect millions of devices and leave much older ones in need of patching. It is the sheer number of devices in need of patching, rather than the flaw’s complexity or known exploits, that has some experts concerned.
Bug image via Shutterstock