Shellshock – Security Technology Vendor Information

Based on the requests of our clients, as discussed in our previous blog post “How shocking is “Shellshock?” below is a list of security technology vendors whose solutions are susceptible to the Shellshock vulnerability. This list will be regularly updated to provide you with timely information on the security technology vendors that you rely on to protect your organization.

Last Updated: Wednesday, October 1, 2014 13:47 EDT

Vendor

How Shocking is ‘Shellshock’?

Overview

The Shellshock vulnerability is present in the Bourne Again Shell (Bash) versions up to and including 4.3. Bash is a popular command shell for Unix and Linux operating systems, and it is often the default shell for many platforms, including OSX.

The version of Bash can be easily be identified by using the bash –version command.

# bash --version
GNU bash, version 4.2.37(1)-release (i486-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This vulnerability is actually quite simple and easy to understand. Bash allows functions to be defined in environment variables and processes such functions when a session is initiated. However, the processing does not stop at the end of the function definition, like it should, but it instead continues to process subsequent commands in the string.

Consider the following environment variable. The blue text is a standard function definition, and the red text contains two additional commands. These commands will print (echo) the word “Vulnerable” to the screen, as well as print the id of the current user. Note that commands are separated by semicolons (“;”).

DEMO="() { ignored; }; echo Vulnerable; /usr/bin/id"

This environment variable can be defined using the export command.

# export DEMO="() { ignored; }; echo Vulnerable; /usr/bin/id"

This alone does not trigger the vulnerability. However, the env command can be used to list the environment variables and confirm that this new variable has indeed been defined.

# env
…snip…
USER=rootXDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session0
XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0
SSH_AUTH_SOCK=/tmp/ssh-grryqvZSm99S/agent.3958
DEMO=() { ignored; }; echo Vulnerable; /usr/bin/id
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DESKTOP_SESSION=LXDE
MAIL=/var/mail/root
PWD=/root
…snip…

Now, if a new Bash session is started, the word “Vulnerable” and the current user ID information are displayed, as expected.

# bash
Vulnerable
uid=0(root) gid=0(root) groups=0(root)

The primary attack vector for remote exploitation is currently Apache web servers that are hosting CGI applications. This is due to the fact that this configuration, as denoted in the CGI specification, allows environment variables to be created from user-controlled input. Several avenues for defining custom environment variables exist, but HTTP headers are the most straightforward.

The following example is a standard HTTP GET request that contains a custom header (Demo), which includes a function definition and additional id command.

GET /cgi-bin/test.cgi HTTP/1.1
Host: localhost
Accept-Encoding: identity
Demo: () { ignored;}; /usr/bin/id
Content-type: application/x-www-form-urlencoded

Submitting this request to a CGI script hosted by Apache creates the following environment variable.

HTTP_DEMO="() { ignored;}; /usr/bin/id"

Again, simply defining the environment variable does not result in automatic code execution. The underlying CGI script must meet specific conditions as well. Consider the following CGI script. This script simply executes the ifconfig command (which would display network interface information if returned to the user). This script is not vulnerable to attack.

#!/usr/bin/perl
print "Content-type: text/html\n\n";
exec('ifconfig');

However, the following script effectively executes the same command, but it first initiates a new Bash session. This script is therefore vulnerable.

#!/usr/bin/perl
print "Content-type: text/html\n\n";
exec('/bin/bash -c ifconfig');

Impact

The impact of successful exploitation will vary considerably based on the target host. Configurations that are properly hardened will suffer less immediate impact than those that are not. For example, exploiting the previous CGI script on a current, default Apache installation only results in a compromise of the limited www-data user, as shown below.

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Granted, any level of access is concerning. Even an unprivileged account may be used to obtain sensitive data or fully compromise the system through privilege escalation attacks. However, such a scenario is still far preferable over directly facilitating a full system compromise.

While the above demonstration is currently the most likely attack vector, any service that both allows users to define environment variables and initiates additional Bash sessions is vulnerable to attack. Proof-of-concept exploits are already starting to surface for other services, such as DHCP.

Identification

As one can imagine, the attack vectors for this vulnerability are numerous. Because this flaw is so tightly linked to the underlying operating system, any Unix or Linux service that runs in a Bash environment is potentially vulnerable. However, identifying vulnerable systems on your own is also trivial. In addition to basic version checks, as shown in the first command excerpt, you can simply open a shell and run the following command (Vulnerable systems will print the word “Vulnerable” to the display):

# env SHELLSHOCK="() { :;} ; echo Vulnerable" /bin/bash -c test
Vulnerable

Detection methods, remediation procedures, and exploitation prevention signatures are all in various stages of development, with many vendors already developing and releasing patches. While opening a shell on every Unix/Linux-based network host you’re responsible for may not be feasible, the immediate priority should revolve around identifying accessible Unix/Linux services and conducting further analysis. Public-facing services should be reviewed first, given their significantly greater exposure, with a review of internal services occurring as time and resources allow.

The following two commands will provide an initial list of common Unix, Linux, and OS X/Mac services that are accessible on the specified network range(s), and the underlying host’s operating system should be reviewed for the presence of this vulnerability.

# nmap --open -oG shellshock.gnmap -sV -O <network range(s)>
# grep –i "linux\|unix\|os x\|mac" shellshock.gnmap

You can use virtually any scanner to search for this vulnerability on your network, or write your own based on version or echo checks, but vendors such as Tenable, Rapid7, and Qualys have already rolled out updates to support detection of vulnerable systems.

Remediation

The most effective remediation strategy obviously consists of applying patches to affected systems. Patches already exist for most Linux distributions, such as Red Hat and Debian. As of this writing, OSX v10.9.5 and earlier are vulnerable, and Apple has not provided any information regarding when a patch will be available. However, an immediate workaround does exist, if one is willing to manually recompile Bash on OSX. If the system or device does not allow operating system patches to be applied directly, contact the vendor for such a vulnerable host in order to obtain specific remediation instructions. While Linux is commonly used across a wide range of systems and devices, limited administrative functionality may require firmware updates or other custom remediation procedures.

This vulnerability also presents an opportunity to review systems for unnecessary or unhardened services, such as FTP, Telnet, SSH, HTTP/S, and DHCP. While some services will undoubtedly be immune to this attack, obscure attack vectors will likely continue to surface for the foreseeable future, and a service shouldn’t be considered secure simply because a proof-of-concept exploitation technique doesn’t currently exist.

Unnecessary services should be disabled (or restricted via firewall access-control lists, at a minimum) in order to reduce a host’s overall attack surface. Furthermore, services that must remain accessible should be hardened as much as possible. For example, triggering this condition via SSH requires valid credentials, and implementing keys-based authentication will reduce associated risks further than traditional password-based authentication.

Prevention capabilities will evolve as additional exploits are made public or discovered in the wild. As mentioned earlier, the most likely attack vector is currently via Apache mod_cgi scripts. This is evident by the fact that several proof-of-concept CGI exploits have already surfaced on the web, and a corresponding Metasploit exploit module has also already been developed. However, the defensive side is moving just as fast, and this CGI-based attack vector can be mitigated with mod_security rules published by Red Hat, F5 LineRate (of course, there’s an F5 BIG-IP iRule as well), and Cisco has also updated their signatures to detect and block these attacks. Contact your security control vendors for further information regarding their options for attack prevention.

Finally, be advised that many embedded systems and other devices, including but not limited to printers, security cameras, environmental monitoring solutions, SOHO routers and switches, Network Attached Storage (NAS) devices, and many types of consumer electronics are likely susceptible to this vulnerability as well. Furthermore, these devices could be difficult or even impossible to patch, and as detailed above, access to network services should be disabled or restricted at the bare minimum.

Consumers should be on the lookout for firmware updates from the manufacturers of these devices, and the device and perimeter network configuration should be reviewed to determine which, if any, services are directly exposed to the Internet. Publicly-accessible services in particular should be disabled or restricted in order to avoid exploitation. These random, Internet-accessible devices may pose the largest threat, as they are easy to overlook and may remain accessible and vulnerable for extended periods of time. Research is already underway to convert proof-of-concept exploits into self-propagating worms.

Webinar

For additional information on this subject and the opportunity to ask questions, please click here to register for our Webinar titled:  How Shocking is ‘Shellshock?’, occurring on Sept. 29th, 2pm (EDT).

 

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Mobile Security and Privacy in an iOS 8 World

iOS 8 was released on September 17 of this year for the iPad 2, iPhone 4S, and newer devices, and is pre-installed on the new iPhone 6 and 6+, which was released on September 19, 2014. Since blogs and articles detailing the new features and changes in iOS 8 abound, we won’t share those details here. Instead, we will cover only the security and privacy improvements. If you’re interested in all the juicy details surrounding iOS 8, have a look at the iPhone or iPad user guides published by Apple, which are available for free in the iBook store.

Now, on the topic of mobile security, according to 451 Research, mobile device security is the top source of pain for the enterprise security managers who were interviewed for their latest study. The pain points cover several general areas including consumerization, employee expectations, and device management. Mobile device security was a top concern of 16% of respondents, up 13% from last year.

Screen Shot 2014-09-25 at 3.19.24 PM

So, will the security changes in iOS 8 help enterprise security managers sleep at night? Time will tell, but let’s have a look at the goods.

For starters, Apple can no longer unlock a user’s device even if requested by government or law enforcement order – that ability was removed in iOS 8. This is very important for privacy and security, especially with the rollout of the Apple Pay feature available with iPhone 6/6+. Apple also patched the so-called “diagnostic backdoors” that were supposedly used by the NSA to steal users’ data. If that isn’t enough, several other features have been created or modified to quickly enable “un-trusting” of all computers that a device has been connected to and the ability to limit the amount of data that applications collect and share about you. You can even change Safari’s default search from Google to the privacy-conscious DuckDuckGo.

Furthermore, Apple’s updated privacy policy assures users that they don’t use email and Web browsing habits to build a user profile for monetization. As if this isn’t enough to prove Apple is serious about security and privacy, most of the security measures are implemented by default. One exception is the necessity of users to manually implement two-step verification for their iCloud accounts, which will help prevent potentially sensitive data, such as selfies, from getting stolen.

Well, what do you think? Will these changes make a difference for the troubled security managers around the country? They certainly won’t hurt, but anyone involved in enterprise mobility management or mobile security research knows there’s still much to be done to reduce the risk of mobility and BYOD in the enterprise. Reach out to your GuidePoint Security account executive to learn more about what you can do to reduce the risk of adopting BYOD in your organization.

Finally, I’d be remiss if I didn’t mention the partnership that Apple & IBM announced over the summer. In my opinion, this is going to be a good thing for users and enterprises, but not so much for device and application management vendors, who may find stiff competition from companies with much deeper pockets. Will 2014 be the year that Apple and Google finally decide to take enterprise mobility seriously? We’ll all have to stay tuned as this evolves.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

 

 

 

The 3 Largest Security Breaches of 2014

From streamlining business processes to connecting people globally, the Internet has undoubtedly improved lives, but it has also brought about a massive number of risks for which many organizations are often unprepared. As a result, data breaches across a large variety of industries all over the world have practically become commonplace.

Ranked in terms of the largest amount of data stolen, here are the top three security breaches of 2014 thus far:

1) Russian Data Breach by “CyberVor”

Hold Security revealed on August 5 that a Russian cyber-gang they named “CyberVor” pilfered billions of records from international organizations and individuals alike. 4.5 billion records to be exact.

CyberVor’s attack mainly targeted login credentials, according to Hold Security’s summary of the incident. The gang obtained credentials from fellow hackers on the black market at first, but upped the ante when they began utilizing botnets. CyberVor was able to use botnets to identify SQL injection vulnerabilities among the sites of their choosing, and then use those vulnerabilities to steal larger quantities of personal information—such as email addresses and passwords—from the databases of their victims.

2) eBay

In late February to early March, unknown attackers gained access to a handful of eBay’s employee credentials, which ultimately provided them access to a database of customer data. The database included names, encrypted passwords, phone numbers, physical and email addresses, and other non-financial data.

Luckily for customers, the company stated in a blog post on May 21 that they had not yet seen any signs of unauthorized user activity or compromised financial information. It is estimated that a majority of the company’s 145 million customers were affected, but the exact number is still unclear. Regardless, eBay decided to err on the side of caution and alert all of its customers to change their passwords.

3) Home Depot

On September 1, Home Depot confirmed that hackers had gotten a hold of an estimated 60 million credit card numbers over the course of approximately five months. Surprisingly, the company was not the first to mention the breach to the public. Instead, it was Brian Krebs, an information security buff who let the world know, resulting in a class action lawsuit in Georgia against Home Depot, Inc.

The Home Depot stores that were compromised are located in the United States and Canada, according to Paula Drake, a company spokeswoman. This means that any customer of these 2,157 stores could have been affected. On the bright side, online shoppers are not affected, and no debit card PINs were stolen.

So, how do other companies avoid making the same mistakes? They can start with requiring 2-factor authentication for all Internet facing systems. Further assuring that basic security tools, such as Anti-Malware, are regularly updated and appropriately deployed can prevent the spread of known malicious software for a low cost. Finally, the combination of strong logging, a SIEM, and a vigilant SOC place a good defense when security technologies fail and require an organization to respond quickly.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

 

 

GuidePoint Security & Tenable Host Security Social Hour at the PCI SSC Community Meeting In Orlando

GuidePoint Security and Tenable invite you to their Security Social Hour in Orlando. Come network with the largest global community dedicated to payment security, and discover the PCI compliance solutions that we offer our customers.

 When: Wednesday, September 10, 7-9PM
Where: Big River Grille and Brewing Works, Orlando, FL

Even as PCI security requirements become more stringent, GuidePoint Security offers the solutions and technologies to address them. By combining our security technology partner, Tenable, with our services and experience, we meet and exceed the security and compliance needs of our clients.

Tenable Security offers the following solutions to address today’s PCI requirements:

  • SecurityCenter Continuous View
  • Nessus Enterprise Cloud
  • Nessus Enterprise
  • Nessus
  • Passive Vulnerability Scanner

At GuidePoint Security, we lead security innovation by helping clients recognize threats, understand solutions, and mitigate risks throughout their IT environment We do this by helping each client determine the best solutions for their unique needs.

Don’t miss the Security Social Hour on September 10th with GuidePoint Security and Tenable. There will be plenty of food, cocktails, and great conversation to go around.

To register for the PCI Security Social Hour, visit: http://gpsec.me/1zRB5h6.

For additional information about the PCI Community Meeting in Orlando, also visit: http://gpsec.me/1nPjnFl.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Va., and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About Tenable Security

Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Their family of products include SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable is relied upon by more than 24,000 organizations, including the entire U.S. Department of Defense and many of the world’s largest companies and governments. For more information, go to: http://www.tenable.com/industries/pci.