WEB SECURITY

Billy Conn

Sr Architect, EdgeTheory

HEARTBLEED&

SHELLSHOCK

HEARTBLEED

April 2014

a bug in TLS

 

Allowed network to detect a closed connection early

 

  • Several "we don't need this" objections
  • Only really useful for DTLS
  • Many unaffected sites had this feature disabled

The Heartbleed Bug

hbtype = *p++;
n2s(p, payload);
pl = p;

…

*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);

Expected

  1. If you're still there, send me these 5 bytes back: "ABCDE"

  2. Server responds with ABCDE

Not Expected

 

 

 

  1. If you're still there, send me these 65535 bytes back: "ABCDE"

  2. Server responds with 64k - potentially decrypted -bytes

  3. Does start with ABCDE, at least.

The server never checks that you're not requesting more back than you sent!

Why is Heartbleed so bad?

  1. Ability to read up to 64k of unencrypted data previously sent on someone else's connection (E.g., passwords)

  2. Also possible to get the sites private key, since that's in memory, too.

Who it affected

Sites

  1. Gmail
  2. Akamai

  3. AWS

  4. GitHub

  5. Stripe

  6. Wikipedia

  7. Reddit

  8. Yahoo

Software

  1. McAfee

  2. Cisco

  3. Steam

  4. LastPass

Both server and client have this bug!  A malicious server could request payload, too!

1% of sites still vulnerable as of Nov 1

Causes

  1. Hard-to-maintain code

    1. Performance over maintainability and security

    2. Feature Creep

  2. Lack of testing

    1. Significant portion of OpenSSL still untested

Resolution

  1. Upgrade OpenSSL

  2. Re-issue certs

  3. Restart machine to ensure all services use new OpenSSL

Takeaways

  1. Readability matters when you write software.
  2. Testing matters when you write software.

  3. No matter who you are, you should patch.

  4. Don't build software features you don't need.

    1. Hard to do when you're small.

  5. Never trust user input.

    1. Entire problem solved by one line of code to check user input.

SHELLSHOCK

Introduced Sep, 1989

Disclosed Sep, 2014




  • 4 different vulnerabilities in bash environment variable handling

  • 2 others related to parsing

  • When setting environment variables, bash will execute them as code in a special case.

"Potentially nastier than Heartbleed"

Why is this bug so bad?

  • Ability to execute arbitrary code on the affected machine

  • Used in conjunction with other security holes or misconfigured machines

Who it affected

Tools

  1. CGI/FastCGI-based web applications

  2. OpenSSH

  3. dhcp

  4. CUPS

  5. Oracle products (multiple)

  6. Cisco products (multiple)

  7. Routers (limited subset)

"I don't use bash"

  1. /bin/sh emulation

  2. busybox

  3. "system"

  4. globbing

Unknown number of machines still affected

Causes

  1. Infrequently used feature

    1. Patches did not remove feature entirely, but namespaced it instead.

    2. Failure to remove it, due to backward compatibility

  2. Poorly thought-out implementation

  3. Failure to use "best practices" for security tools

    1. Address randomization would have changed severity of this bug greatly.

  4. Lack of documentation of external interfaces

Takeaways

  1. Document your interfaces

  2. Remove features you don't use

    1. Always turn on optionally, or namespace the features.

  3. Only run software features you need

    1. DASH example vs BASH

  4. PATCH  

    1. Primary vectors that found access via shellshock were fixing their vulnerabilities more quickly than bash

  5. NEVER TRUST USER INPUT.

Heartbleed
vs.
Shellshock

Heartbleed

  • Impossible to detect initial usage
  • Easy to ensure no ongoing consequences.

Shellshock

  • Hard to detect initial usage
  • Very hard to ensure no ongoing consequences
  • Machine can be compromised indefinitely without symptoms.

  • Only truly secure way to handle is to wipe potentially compromised servers!

DETECTION

Heartbleed

  • Easy to resolve:

    • Upgrade OpenSSL
    • Reissue
    • Restart

Shellshock

  • Much more difficult
  • Closing vulnerability easy: upgrade Bash
    • On everything, including routers.
  • Ensuring it wasn't attacked, however, is difficult.

RESOLUTION

Heartbleed

  • Small number of individual attack vectors

  • Very widely deployed and easy to attack (large surface area)

Shellshock

  • Large number of attack vectors

  • Varying degrees of difficulty to attack and deployment.

ATTACK VECTORS

SECURITY: 

When you do it right, everyone feels like you're just wasting time

web-security

By Harper Maddox

web-security

Billy Conn's 11-25-2014 presentation to the Jackson Area Web Developer's Group (JAWAD) on Web Security. Discussion of Heartbleed, ShellShock and Poodle

  • 869