Perimeter

9/26/2014
10:20 AM
Paul Vixie
Paul Vixie
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Shellshocked: A Future Of Hair On Fire Bugs

Most computers affected by Bash will be updated within 10 years. The rest will be vulnerable for the lifespans of all humans now living. This should concern us. But then, global warming should also concern us.

It seems that the more we integrate our lives and our national economies into the Internet, the less safe we, and our privacy, and our money, become. The human population will eventually grow weary of the endless parade of worldwide hair-on-fire technology problems like Y2K, Conficker, Heartbleed, and, as of this week, Shellshock.

By “weary” I mean thoughts like “Another day, another bug, I have no time for this, I’ll upgrade everything when I get the time.” We may already be there, given that six full years after the Conficker worm was announced, we still see about a million unique IP addresses per day in the Conficker sinkhole. Those can’t all be student researchers checking to see if the botnet still exists. Sadly, every hour of delay dramatically increases the likelihood that the device will become more deeply infected before it is patched -- after which time, patches won’t actually make anything better.

Aggregate attack surface is a progressive concept. When the total number of infected or vulnerable computers, and the total number of infections and vulnerabilities themselves, were small, the criminal miscreants of the world did not have as much free infrastructure to draw from when attacking new targets. Make no mistake, the bad guys don’t pay for hardware or connectivity -- they’re using ours instead, since ours is free, and this kind of indirection helps them hide their tracks and misdirect our investigations. Today the computational resources available to the bad guys have grown to the point where no victim is out of reach, and no attacker has to be all that frugal or even quiet about its attacks.

Shellshock is the name of a bug in “Bash,” an acronym for Bourne Again Shell, a command line interpreter present on most computers in the world except for Windows. Bash is in Linux, and Linux is in just about every embedded computer including smart TVs, smartphones and tablets, home gateways, wireless access points, Internet servers, and many industrial control systems.

There is not a quality problem with Linux per se. In fact, Linux may be the most reviewed, most tested, highest quality (per line of code) system in history. However, there’s an awful lot of code and an awful lot of interfaces -- connections between different parts of code -- and with complexity comes error just as surely as night follows day. More importantly, many devices containing Bash are not field upgradeable, either for cost reasons or because their makers died out. Even among devices that are still upgradeable, most are silent, unknown trolls in dark closets with no monitoring or auditing or management at all.

Fix they did, but…
Within a few hours of the announcement of Shellshock and the first software update to fix the bug (which fix did, by the way, turn out to be incomplete), those of us who watch the Internet for malicious activity saw hundreds of researchers scanning billions of Internet addresses, all trying to measure and catalogue attack surface.

It’s safe to assume that some of those researchers have evil intent, such as adding the vulnerable computers to a botnet, to be used later for launching DDoS attacks or similar malfeasance. And as always during times of emergency, misinformation and misunderstanding was everywhere, even in some official announcements from people and companies and agencies whose purpose in life is to keep us informed and safe against online threats.

It’s conservative to estimate that for every modern computing device we actually know is a computing device, and whose manufacturer still has the ability to update its software, there are at least 10 other computing devices that we don’t know much about, which will not have their software updated ever, and which have years or even decades of life left.

Experience tells us to expect that the computers that will be updated will be mostly updated within about 10 years. Most of the rest will be vulnerable until they die, which will take some decades, and a few million of them will still be running and still be vulnerable to Shellshock for the lifespans of all humans now living. This should concern us, but then, global warming should also concern us.

As the saying goes, “When you’re stuck in a hole, the first thing to do is stop digging.” Given the inevitability of software bugs and the growing dependence on technology for banking, communications, infrastructure, agriculture, and food supply, can we afford to continue driving innovation guided only by near-term profit, where technology’s winners are always those who pursue time-to-market over quality?

By all means, let us patch Bash wherever we can find it. But that’s busy work. The vulnerable Bash instances that we won’t find vastly outnumber those we will, and our future is going to be dominated by leftovers from an endless parade of hair-on-fire bugs that we eventually learn to live with when the next one comes along and steals our attention.

Dr. Paul Vixie is an Internet pioneer and thought leader who designed, implemented, and deployed several Domain Name System (DNS) protocol extensions and applications that are used throughout the Internet today. He is CEO of Farsight Security Inc. Previously, he served as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
rjones2818
50%
50%
rjones2818,
User Rank: Strategist
9/30/2014 | 11:03:40 AM
Re: hair-on-fire bug fatigue
Two things:


1) Simplify as much as possible, as has been mentioned in the comments. This is particularly true in the entrance to any programs.  The fewer doors, the fewer ways for the rats to get in.  I know it's a broad brush, but complexity for its own sake is unsafe.  The likelyhood is that every system is probably unsafe due to designers not thinking of every way their code is going to be attacked.  This isn't because they're bad designers, it's because not every way code is going to be attacked has been thought of by anybody yet.


2) The people who aren't patching aren't fatigued.  Regular patchers shouldn't be fatigued, it's just part of what they do. People who patch absolutly everything the moment a patch comes out probably are fatigued.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/29/2014 | 2:01:41 PM
Re: if you patched over the weekend, you're out of date, and vulnerable, again.
This is great insight and perspective, Paul. Many thanks.
paulvixie
50%
50%
paulvixie,
User Rank: Author
9/29/2014 | 1:51:04 PM
Re: if you patched over the weekend, you're out of date, and vulnerable, again.
<< These appear to be different bugs, unless I'm missing something? >>

To me the bug is that GNU Bash ever evals the contents of an environment variable. In other words, all of this week's drama comes from a misfeature. Based on the fix now present on FreeBSD systems, I am not the only one thinking this way. However, the maintainers of GNU Bash are doing their darndest to make this feature safe by making terribly fine distinctions about the exact form, syntax, and content of these environment variables. The reason you see five different CVE's (as of this moment) at http://shellshocked.net/ is that people keep finding new ways to fool the latest patch and access the underlying remote execution vulnerability.

I prefer FreeBSD's fix. Don't evaluate the contents of environment variables by default. To those who warn that this will break some existing GNU Bash scripts, I answer: yes, and that's a bitter pill, but since this is actually misfeature, my feeling is that adding logic to make finer and finer distinctions about the content of environment variables is increasing complexity (and therefore danger), and decreasing auditability and provability (and therefore safety).

I also prefer the Debian approach (/bin/sh is "dash" not "bash") over RedHat and Apple's. GNU Bash is a great interactive shell, but it's way too large and too complex to be allowed to be in the execution path for libc's popen() and system() calls, which are used by Apache and QMail to run commands. /bin/sh should be as simple as possible, which is to say, like "dash" on Debian (which comes from "ash" which is used as /bin/sh on FreeBSD, NetBSD, OpenBSD, and DragonflyBSD).

It's very strange after the last couple of years of hair-on-fire bug-of-the-week theater, to have to argue that complexity ought to be avoided wherever possible in control systems.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/29/2014 | 12:59:58 PM
Re: if you patched over the weekend, you're out of date, and vulnerable, again.
@Paul--A bit of confusion here on the vulns Shellshocker is talking about and what SANS ISC has posted: https://isc.sans.edu/diary/Shellshock%3A+We+are+not+done+yet+CVE-2014-6277%2C+CVE-2014-6278/18723. These appear to be different bugs, unless I'm missing something? 
SgS125
50%
50%
SgS125,
User Rank: Ninja
9/29/2014 | 11:22:35 AM
You sound tired Paul
Yup another week, another lip gets bit, we wonder, we wring our hands and guess what, the dang thing was there last week.  We did not know it was there last week, at least most of us anyway.

Time to double down on your game and get to it.

Just think of all the great exploits that we still don;t know about, always work to be done here.

It's like we are the gravediggers and everyone is in their 90's..... only a matter of time till we need to dig another hole.

 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/29/2014 | 10:39:35 AM
Re: Great analysis but is it really so hopeless?
As with any security problem I am only as confident with regards to the intel I have available.  Based on the exploits that are currently known to be in the wild I am very confident that I am able to detect them all.  However, if there is an attack that is drastically different than those I am tracking then they could slip under my radar.

With that said, based off the nature of this vulnerability I am fairly confident that we are seeing everything that is heading our way and the attacks that are directed at us are not getting through.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/29/2014 | 10:28:40 AM
Re: Great analysis but is it really so hopeless?
That sounds like a good thing @Robert McDougal (that you've patched and also have seen only 40 attempted attacks). Are you confident that your patched all the holes and that your information is correct?
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/29/2014 | 10:05:05 AM
Re: Great analysis but is it really so hopeless?
So far our org has patched everything that can be patched.  However, we are also not seeing very many attack attempts either.  Since we deployed our Shellshock IDS alerts we have only seen around 40 attempted attacks.
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/29/2014 | 9:46:16 AM
Re: Great analysis but is it really so hopeless?
Yep, we caught that info yesterday. We got caught up on our key systems accordingly.
Monitoring for further info as we go.

Thanks for the follow up info @Paul.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/29/2014 | 9:42:09 AM
Re: if you patched over the weekend, you're out of date, and vulnerable, again.
I agree @Kelly. We need to define a better means of communciation for not only this vulnerability but all vulnerabilities. I would imagine that corporate security teams are in many conversations with their MSSP's if they have them available but for ones that don't they are relying much on this information outlet.

What have people felt are the best avenues for consistent and validated data regarding this vulnerability?
Page 1 / 3   >   >>
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6705
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.
CVE-2018-15717
PUBLISHED: 2018-12-12
Open Dental before version 18.4 stores user passwords as base64 encoded MD5 hashes.
CVE-2018-15718
PUBLISHED: 2018-12-12
Open Dental before version 18.4 transmits the entire user database over the network when a remote unathenticated user accesses the command prompt. This allows the attacker to gain access to usernames, password hashes, privilege levels, and more.
CVE-2018-15719
PUBLISHED: 2018-12-12
Open Dental before version 18.4 installs a mysql database and uses the default credentials of &quot;root&quot; with a blank password. This allows anyone on the network with access to the server to access all database information.
CVE-2018-6704
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.