WEB SECURITY
Billy Conn
Sr Architect, EdgeTheory
HEARTBLEED&
SHELLSHOCK
HEARTBLEED
April 2014
a bug in TLS
Allowed network to detect a closed connection early
- Several "we don't need this" objections
- Only really useful for DTLS
- Many unaffected sites had this feature disabled
The Heartbleed Bug
hbtype = *p++;
n2s(p, payload);
pl = p;
…
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);Expected
-
If you're still there, send me these 5 bytes back: "ABCDE"
-
Server responds with ABCDE
Not Expected
-
If you're still there, send me these 65535 bytes back: "ABCDE"
-
Server responds with 64k - potentially decrypted -bytes
- Does start with ABCDE, at least.
The server never checks that you're not requesting more back than you sent!
Why is Heartbleed so bad?
-
Ability to read up to 64k of unencrypted data previously sent on someone else's connection (E.g., passwords)
-
Also possible to get the sites private key, since that's in memory, too.
Who it affected
Sites
- Gmail
-
Akamai
-
AWS
-
GitHub
-
Stripe
-
Wikipedia
-
Reddit
- Yahoo
Software
McAfee
Cisco
Steam
- LastPass
Both server and client have this bug! A malicious server could request payload, too!
1% of sites still vulnerable as of Nov 1
Causes
-
Hard-to-maintain code
-
Performance over maintainability and security
-
Feature Creep
-
-
Lack of testing
-
Significant portion of OpenSSL still untested
-
Resolution
-
Upgrade OpenSSL
-
Re-issue certs
- Restart machine to ensure all services use new OpenSSL
Takeaways
- Readability matters when you write software.
-
Testing matters when you write software.
-
No matter who you are, you should patch.
-
Don't build software features you don't need.
-
Hard to do when you're small.
-
-
Never trust user input.
-
Entire problem solved by one line of code to check user input.
-
SHELLSHOCK
Introduced Sep, 1989
Disclosed Sep, 2014
4 different vulnerabilities in bash environment variable handling
2 others related to parsing
- When setting environment variables, bash will execute them as code in a special case.
"Potentially nastier than Heartbleed"
Why is this bug so bad?
-
Ability to execute arbitrary code on the affected machine
-
Used in conjunction with other security holes or misconfigured machines
Who it affected
Tools
-
CGI/FastCGI-based web applications
-
OpenSSH
-
dhcp
-
CUPS
-
Oracle products (multiple)
-
Cisco products (multiple)
- Routers (limited subset)
"I don't use bash"
-
/bin/sh emulation
-
busybox
-
"system"
- globbing
Unknown number of machines still affected
Causes
-
Infrequently used feature
-
Patches did not remove feature entirely, but namespaced it instead.
-
Failure to remove it, due to backward compatibility
-
-
Poorly thought-out implementation
-
Failure to use "best practices" for security tools
-
Address randomization would have changed severity of this bug greatly.
-
-
Lack of documentation of external interfaces
Takeaways
-
Document your interfaces
-
Remove features you don't use
-
Always turn on optionally, or namespace the features.
-
-
Only run software features you need
-
DASH example vs BASH
-
-
PATCH
-
Primary vectors that found access via shellshock were fixing their vulnerabilities more quickly than bash
-
- NEVER TRUST USER INPUT.
Heartbleed
vs.
Shellshock
Heartbleed
- Impossible to detect initial usage
- Easy to ensure no ongoing consequences.
Shellshock
- Hard to detect initial usage
- Very hard to ensure no ongoing consequences
-
Machine can be compromised indefinitely without symptoms.
- Only truly secure way to handle is to wipe potentially compromised servers!
DETECTION
Heartbleed
-
Easy to resolve:
- Upgrade OpenSSL
- Reissue
- Restart
Shellshock
- Much more difficult
-
Closing vulnerability easy: upgrade Bash
- On everything, including routers.
- Ensuring it wasn't attacked, however, is difficult.
RESOLUTION
Heartbleed
-
Small number of individual attack vectors
-
Very widely deployed and easy to attack (large surface area)
Shellshock
-
Large number of attack vectors
-
Varying degrees of difficulty to attack and deployment.