Saturday, October 04, 2014

Shellshock/Bash-bug News and Linkage

Yes, it has been that kind of a week.

Here is my picks of news and link summaries for the Shellshock/Bash-bug exploit that hit the InterWebs this past week.

Again, like BadUSB, it pays to be familiar with these exploits and trends even if you “think” you are safe in a Windows environment.

Everything you need to know about the Shellshock Bash bug - Troy Hunt’s blog. And to address that “We’re on Windows so we are safe” thought, let me quote directly from Troy’s post above:

All our things are on the Microsoft stack, are we at risk?

Short answer “no”, long answer “yes”. I’ll tackle the easy one first – Bash is not found natively on Windows and whilst there are Bash implementations for Windows, it’s certainly not common and it’s not going to be found on consumer PCs. It’s also not clear if products like win-bash are actually vulnerable to Shellshock in the first place.

The longer answer is that just because you operate in a predominantly Microsoft-centric environment doesn’t mean that you don’t have Bash running on machines servicing other discrete purposes within that environment. When I wrote about Heartbleed, I referenced Nick Craver’s post on moving Stack Overflow towards SSL and referred to this diagram of their infrastructure:

There are non-Microsoft components sitting in front of their Microsoft application stack, components that the traffic needs to pass through before it hits the web servers. These are also components that may have elevated privileges behind the firewall – what’s the impact if Shellshock is exploited on those? It could be significant and that’s the point I’m making here; Shellshock has the potential to impact assets beyond just at-risk Bash implementations when it exists in a broader ecosystem of other machines.

FREE Pluralsight Course: Understanding the Shellshock Bash Bug - Troy Hunt’s blog. Troy offers a free 35+ minute training presentation going over the Shellshock Bash Bug. It should be a great review that everyone in the security or IT administration community should take advantage of.

The anatomy of a Shellshock attack in the wild - Troy Hunt’s blog.

So what harm could be done? Um…plenty.

Even more reading…

Constant Vigilance!

Claus Valca

No comments: