The Shellshock Vulnerability
By now you have probably heard of the latest vulnerability of the day, Shellshock. Since there have already been many excellent resources created to describe the technical details of the flaw, let’s look at the general security practices and how they can help mitigate risk from serious vulnerabilities, and enable your team to respond quickly and appropriately in the future.
What is Shellshock?
Shellshock is a vulnerability in Bash, a fundamental component of many Linux and Unix based devices and servers. Bash is used to translate commands into actions on the part of the system. At its heart, shellshock consists of using environment variables to manipulate Bash into running any command. This vulnerability is especially concerning because Linux and Unix based systems are so prevalent in both infrastructures, and in appliances and embedded devices.
How is this related to your existing security program?
As with most of these vulnerabilities, mature security practices will provide some level of coverage. There are a lot of components to a standard security program that are relevant to the Shellshock vulnerability, including:
- Configuration and hardening standards: Many of the systems that will be exploited by Shellshock are being attacked through services or configuration options that weren’t strictly necessary to support the business function of the device. For example, if your web application does not need CGI-scripts to function, the CGI associations should be removed. If this was already done, then that attack vector no longer exists on that system.
- System Inventory: Can you comfortably say that you know what systems in your environment are running potentially vulnerable operating systems? What about network devices and appliances? This is critically important to ensure that your efforts to patch and mitigate Shellshock are complete. Missing just one publicly accessible system may be all it takes to experience a Shellshock-based breach. How confident are you that no one has created a development system, installed an access point, or otherwise stood up a system that is now vulnerable and publically accessible? Enterprises with mature inventory systems and programs in place to detect or prevent rogue systems from being placed on their network are more capable of responding completely to the threat presented by Shellshock.
- Network change control: Along a similar vein as the system inventory, it’s important to maintain a current inventory of network access. Enterprises that can account for all the ACLs that exist on their firewall, and in turn verify that the systems that have been provisioned access, are not susceptible to Shellshock and are likely sleeping more soundly at night.
- Subscriptions to relevant security feeds and user groups: When something like shellshock occurs, the faster you are able to patch your systems, the better. A delay may occur due to simply not knowing where to find the patch information, or not realizing that a patch is already available. Appropriate user groups may provide an invaluable source of security signatures for scanning or compensating controls that can be leveraged to lower your exposure to Shellshock. Ensure that you are kept up to date through appropriate subscriptions to security feeds and user groups based on the technology in place in your environment.
- Controlled Patching Process: The larger an enterprise, the more difficult it will be to apply patches consistently and completely. Enterprises that have already tackled the logistics of wide scale patching in a controlled manner will be much better poised to respond to Shellshock.
- Emergency Patching Procedures: In general, patches shouldn’t be applied blindly, but occasionally vulnerabilities like Shellshock may highlight the importance of emergency patch procedures, so that even when patches need to be applied in a short time frame, they are still applied in a consistent and controlled manner. While Shellshock is a very serious threat that warrants potential emergency patching procedures, it’s also important to ensure that your enterprise doesn’t undertake such procedures lightly. Future vulnerabilities may be more bark than bite, and these decisions should follow an established process in order to prevent patch implementation from causing more harm than the original vulnerability.
- Information Security Policy and Documented Procedures: Many of the above controls include a process element to them. Clearly documented policies and procedures help ensure that those processes are carried out correctly.
- Ongoing Security Program Review and Updates: Shellshock also highlights the importance of how you keep your technical configuration standards up to date. If the standards for your web systems didn’t include disabling the CGI directories if they are not needed, is there a process to ensure they are updated when incidents like this occur?
- Audit and Assurance Programs: Many of the above controls also have common pitfalls that lead to poor implementation. For example, how do you ensure that all systems went through the required hardening guidelines? Audit and assurance programs can help by testing and reviewing hardening procedures, firewall configurations, even verifying the completeness of system inventories. These will all help ensure that your own assessment of your exposure is accurate and that your response is complete.
How can OpenSky help?
In addition to vulnerability assessment and remediation services, OpenSky has a portfolio of comprehensive security services that can help enhance an organization’s information security program, including the areas relevant to the Shellshock vulnerability, listed above.
OpenSky can help you determine how to best leverage these services to assist your organization with IT risk management and to ensure that your information security program is well positioned to respond to wide-spread critical vulnerabilities such as Shellshock.
About the Author
Adam Kunsemiller has more than 12 years of experience in IT security, specifically in application security and vulnerability management. Adam has advised Fortune 500 enterprises, including in the financial and telecommunications industries, on the development of their security programs to protect against web vulnerabilities. He is a regular speaker at conferences for organizations such as OWASP.