While Shellshock has been all over Twitter and talked about on prominent news outlets, I’m still shocked that there is comparatively less press coverage than there was for Heartbleed which was a bonafide “big story.” This is unfortunate because in some ways the Shellshock exploit is more devastating, but there are actually some good reasons for the lesser coverage, and all of them are things we should learn from.
1. Name Game Confusion
Some call it Shellshock, or the Shellshock Bug, some call it the “BASH Bug” and sadly, some in the press call it the “Bug known as BASH” (see video [https://www.youtube.com/watch?v=hxsb8Hzb5FQ]). Heartbleed was a cool name, and even had a cool logo that was able to capture the imagination very quickly. Maybe we need to make sure we pick cool names and create cool logos before we alert the media of a major new vulnerability.
2. Explanation of the Threat
When dealing with Heartbleed it was easy to explain that the exploit allowed an attacker to extract unencrypted information. With Shellshock, I have seen people trying to explain the exploit in terms that are meaningless to normal people.
Reporter: “The BASH Bug gives an attacker shell access to a system”
Audience: “Oh, interesting. What’s for dinner?”
We need to use simple terms anyone can understand.
Reporter: “Shellshock gives an attacker remote control of a system”
Audience: “Oh, $#@! get my IT guy on the phone!”
We are wasting our time trying to explain what BASH is or what a shell is. Come on people!
Know your audience, and speak at their level. @Lifehacker does a good job of this! http://lifehacker.com/are-bugs-like-shellshock-and-heartbleed-really-serious-1641177186
3. The Boy Who Cried Wolf
We (the security community) made such fuss about Heartbleed and we basically told the world that the internet was on fire. The problem was that most of the internet was patched within a week or two and life went on as normal. The fire was well contained by the awareness campaign which is a good thing. But we had gone a little overboard and wasted our goodwill with the press.
4. Overstatement of the Threat
Let me start by saying, that when exploited, Shellshock is bad bad news. A Shellshock exploit is worse than a Heartbleed exploit because it’s not only allowing data to be leaked, but also allows remote control of a server and could allow an attacker to make a trusted site become evil.
I see statements out there saying that 70% or even 90% of internet connected systems are vulnerable to Shellshock and that it is much worse than Heartbleed. While there may be some truth to that, and a high percentage of internet servers are indeed “vulnerable” we need to break that down a little because a very small percentage are exploitable.
5. Vulnerable Does Not Mean Exploitable
A server might have this BASH bug which can be tested on the system with a simple test command. However, to exploit this, you need to have a service open that calls BASH. The problem is that most service ports are blocked by firewalls. In most cases, there are only a few ports open to the internet that could be vulnerable, such as DNS, DHCP, SMTP/IMAP/POP3 and HTTP/HTTPS. I have seen some exploitable examples of DNS and DHCP services that shell out to BASH scripts to handle IP assignments based on user, as well as some SMTP that shell out to SPAM filtering tools. I’m sure there are many more, but these are examples and they are limited. Jose Pagliery from CNN Money explains it quite well – the world isn’t on fire, but there is a serious problem in this video.
6. What About Web Servers?
Of course this is one of the big questions because web servers are much more widely exposed to the ShellshockBASH bug. In many cases, the only ports a server will expose to the internet are 80/443 which are the HTTP/HTTPS ports. There are situations where a web server has CGI support enabled, even though it has not been the default configuration for quite some time. But if it is, then it is possible that it might have a CGI script that executes BASH. This could happen, but it’s fairly rare these days because most CGI scripts I see are written in languages such as PERL and are not exploitable with ShellShock. So, if all the moons have aligned so far and there is a BASH CGI script in use, the admins can disable the script or patch the system to remove the vulnerability.
So lets go back to the claims that 70-90% of the internet connected servers are “vulnerable”. From that we subtract the ones that have no ports open to the internet. We then remove the ones that only expose services that are not exploitable because they don’t shell out for any reason. In the end, I think we end up with a much smaller percentage, lets say 5%-10% of the servers on the internet that are vulnerable to the Bash Bug are actually exploitable.
7. Remains A Very Serious Security Issue
Even if only 5% of the servers on the internet are exploitable that still constitutes a very serious problem. It may not get as many headlines as saying 70-90% are vulnerable, but it is more accurate and helps to maintain our credibility to the wider public.
Keep in mind, that 5% of the servers on the internet being exploitable is still a VERY LARGE number of servers, and from those exploitable systems, an attacker could then attack other servers and services not exposed directly to the internet.
8. Shellshock’s Lasting Impact
I want to state once again that I strongly feel like this BASH bug is very serious, which is why I have been disappointed by the coverage about it. I also think it will be with us for a long time, because unlike the big servers powering the internet, which will get patched, many appliance type devices will never get patched such as common home WiFi & router devices, and IP enabled devices that fall into the “Internet of Things” category.
We did a great job during Heartbleed, and I believe the publicity actually helped mitigate the threat because every IT person was made aware and systems were patched quickly. It also served as something like a shark alert at the beach and many people stayed away for a few days while “the internet got fixed.”
Shellshock has not been handled as well, and I think systems that could easily be patched won’t, because we failed in the awareness campaign. I have run into many people and friends in the IT space that had not heard about it as recently as last night!
I hope we do better next time.