Post by: Mark Staudinger
This blog is Part 1 of a two-part series
The “Big 3” benefits to NYI’s Fault Tolerant Web (FTW) service are Speed, Stability, and Security. Depending on the day, one of these three might seem to be more important; but when a newly discovered vulnerability like ShellShock is turned into an active exploit seen “in the wild” (as opposed to the test lab) the security for public-facing services, such as your web site, become of critical importance.
ShellShock in particular holds a significant potential threat, mainly because the target (the “Bourne Again Shell”, or “Bash”) exists on a large number of Unix-type server platforms, and the vulnerability is relatively easy to exploit. In addition, the Bash program itself has not been fully patched (yet), so administrators do not have the confidence that all of the vulnerabilities associated with it have been addressed.
- Target-rich environment
Bash is a command interpreter, or shell, that is available for most Unix-type Operating Systems. On Linux, not only is Bash part of the base installation, it is the default shell for all users, including the “root” super-user. Other Operating Systems require that the user install the Bash shell separately, but many administrators choose to do so for reasons of preference or compatibility. The developers of Bash estimate that the vulnerable portion of code was added around 1992, which means that it has had plenty of time to become truly ubiquitous, especially on Linux platforms.
- Easy to craft exploit
One aspect of the ShellShock exploit is that it does not need to be customized to any significant degree for the target platform. It also does not require that the attacker have any programming experience. The easier an exploit is to craft, the higher the number of would-be attackers. Some exploits involve stack or variable overflows that need to be customized by someone with programming experience. ShellShock, conversely, is a relatively easy exploit to implement, as commands are passed directly to the shell and executed as-is. Customization is not needed and it can be implemented with little to no programming experience. All this means a faster adoption of an exploit by more attackers, resulting in a fairly good chance of success.
- No official patch
When ShellShock was announced, the Bash developers quickly released a patch that eliminated one known-vulnerable portion of code (CVE-2014-6721). However, a more thorough audit revealed at least two more vulnerabilities (CVE-2014-7619) that are still being addressed. At the time of writing, there is an “unofficial” patch from RedHat employee Florian Weimer, which seems to be the best option for system administrators.
NYI designed its FTW service to block all kinds of attempts to exploit vulnerable code within your web application. Many of these exploits use common vectors and methods to try to insert their malicious code. When the details of the ShellShock vulnerability were released, it was time to take a look at how FTW was handling these exploit attempts, and make sure that we were protecting against not just the known active exploits, but the variations that can be expected as the use of the exploit becomes more diverse.
Our next post will take a deeper look into NYI’s FTW service and how it protects web sites and web applications.