Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Shellshocked: A Future Of ‘Hair On Fire’ Bugs
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
rjones2818
50%
50%
rjones2818,
 User Rank: Strategist
9/30/2014 | 11:03:40 AM
Re: hair-on-fire bug fatigue
Two things:


1) Simplify as much as possible, as has been mentioned in the comments. This is particularly true in the entrance to any programs.  The fewer doors, the fewer ways for the rats to get in.  I know it's a broad brush, but complexity for its own sake is unsafe.  The likelyhood is that every system is probably unsafe due to designers not thinking of every way their code is going to be attacked.  This isn't because they're bad designers, it's because not every way code is going to be attacked has been thought of by anybody yet.


2) The people who aren't patching aren't fatigued.  Regular patchers shouldn't be fatigued, it's just part of what they do. People who patch absolutly everything the moment a patch comes out probably are fatigued.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
 User Rank: Strategist
9/29/2014 | 2:01:41 PM
Re: if you patched over the weekend, you're out of date, and vulnerable, again.
This is great insight and perspective, Paul. Many thanks.
paulvixie
50%
50%
paulvixie,
 User Rank: Author
9/29/2014 | 1:51:04 PM
Re: if you patched over the weekend, you're out of date, and vulnerable, again.
<< These appear to be different bugs, unless I'm missing something? >>

To me the bug is that GNU Bash ever evals the contents of an environment variable. In other words, all of this week's drama comes from a misfeature. Based on the fix now present on FreeBSD systems, I am not the only one thinking this way. However, the maintainers of GNU Bash are doing their darndest to make this feature safe by making terribly fine distinctions about the exact form, syntax, and content of these environment variables. The reason you see five different CVE's (as of this moment) at http://shellshocked.net/ is that people keep finding new ways to fool the latest patch and access the underlying remote execution vulnerability.

I prefer FreeBSD's fix. Don't evaluate the contents of environment variables by default. To those who warn that this will break some existing GNU Bash scripts, I answer: yes, and that's a bitter pill, but since this is actually misfeature, my feeling is that adding logic to make finer and finer distinctions about the content of environment variables is increasing complexity (and therefore danger), and decreasing auditability and provability (and therefore safety).

I also prefer the Debian approach (/bin/sh is "dash" not "bash") over RedHat and Apple's. GNU Bash is a great interactive shell, but it's way too large and too complex to be allowed to be in the execution path for libc's popen() and system() calls, which are used by Apache and QMail to run commands. /bin/sh should be as simple as possible, which is to say, like "dash" on Debian (which comes from "ash" which is used as /bin/sh on FreeBSD, NetBSD, OpenBSD, and DragonflyBSD).

It's very strange after the last couple of years of hair-on-fire bug-of-the-week theater, to have to argue that complexity ought to be avoided wherever possible in control systems.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
 User Rank: Strategist
9/29/2014 | 12:59:58 PM
Re: if you patched over the weekend, you're out of date, and vulnerable, again.
@Paul--A bit of confusion here on the vulns Shellshocker is talking about and what SANS ISC has posted: https://isc.sans.edu/diary/Shellshock%3A+We+are+not+done+yet+CVE-2014-6277%2C+CVE-2014-6278/18723. These appear to be different bugs, unless I'm missing something? 
SgS125
50%
50%
SgS125,
 User Rank: Ninja
9/29/2014 | 11:22:35 AM
You sound tired Paul
Yup another week, another lip gets bit, we wonder, we wring our hands and guess what, the dang thing was there last week.  We did not know it was there last week, at least most of us anyway.

Time to double down on your game and get to it.

Just think of all the great exploits that we still don;t know about, always work to be done here.

It's like we are the gravediggers and everyone is in their 90's..... only a matter of time till we need to dig another hole.

 
Robert McDougal
50%
50%
Robert McDougal,
 User Rank: Ninja
9/29/2014 | 10:39:35 AM
Re: Great analysis but is it really so hopeless?
As with any security problem I am only as confident with regards to the intel I have available.  Based on the exploits that are currently known to be in the wild I am very confident that I am able to detect them all.  However, if there is an attack that is drastically different than those I am tracking then they could slip under my radar.

With that said, based off the nature of this vulnerability I am fairly confident that we are seeing everything that is heading our way and the attacks that are directed at us are not getting through.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
9/29/2014 | 10:28:40 AM
Re: Great analysis but is it really so hopeless?
That sounds like a good thing @Robert McDougal (that you've patched and also have seen only 40 attempted attacks). Are you confident that your patched all the holes and that your information is correct?
Robert McDougal
50%
50%
Robert McDougal,
 User Rank: Ninja
9/29/2014 | 10:05:05 AM
Re: Great analysis but is it really so hopeless?
So far our org has patched everything that can be patched.  However, we are also not seeing very many attack attempts either.  Since we deployed our Shellshock IDS alerts we have only seen around 40 attempted attacks.
aws0513
50%
50%
aws0513,
 User Rank: Ninja
9/29/2014 | 9:46:16 AM
Re: Great analysis but is it really so hopeless?
Yep, we caught that info yesterday. We got caught up on our key systems accordingly.
Monitoring for further info as we go.

Thanks for the follow up info @Paul.
RyanSepe
50%
50%
RyanSepe,
 User Rank: Ninja
9/29/2014 | 9:42:09 AM
Re: if you patched over the weekend, you're out of date, and vulnerable, again.
I agree @Kelly. We need to define a better means of communciation for not only this vulnerability but all vulnerabilities. I would imagine that corporate security teams are in many conversations with their MSSP's if they have them available but for ones that don't they are relying much on this information outlet.

What have people felt are the best avenues for consistent and validated data regarding this vulnerability?
Page 1 / 3   >   >>


Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0063
PUBLISHED: 2020-02-21
Insecure plugin update mechanism in tucan through 0.3.10 could allow remote attackers to perform man-in-the-middle attacks and execute arbitrary code ith the permissions of the user running tucan.
CVE-2013-3551
PUBLISHED: 2020-02-21
Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent ...
CVE-2013-4088
PUBLISHED: 2020-02-21
Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket spli...
CVE-2019-19865
PUBLISHED: 2020-02-21
Atos Unify OpenScape UC Web Client 1.0 allows XSS. An attacker could exploit this by convincing an authenticated user to inject arbitrary JavaScript code in the Profile Name field. A browser would execute this stored XSS payload.
CVE-2019-19866
PUBLISHED: 2020-02-21
Atos Unify OpenScape UC Web Client 1.0 allows remote attackers to obtain sensitive information. By iterating the value of conferenceId to getMailFunction in the JSON API, one can enumerate all conferences scheduled on the platform, with their numbers and access PINs.