
By Lori MacVittie | Article Rating: |
|
October 12, 2014 02:00 PM EDT | Reads: |
6,265 |

Shellshock, appropriately and of course punnily named, is ravaging the Internet right now. Active exploits continue to grow in number and in complexity.
While there are multiple avenues through which this vulnerability can be exploited, the most active one at the moment appears to be via vulnerable Internet-facing systems running web applications.
Register For DevOps Summit FREE (before Friday) ▸ Here
These attacks take advantage of the lax constraints on HTTP headers that allow strings of nearly limitless length to be passed not just to the web server, but on to the system via CGI. Once passed, a 22 year old GNU Bash vulnerability allows the code embedded in the HTTP header to be executed.
That code can be just about anything. A quick GIS will net you hundreds of sites documenting actual attempts at exploits including complete shell scripts designed to download and execute other malicious content.
While the exploit mechanism is fairly simple, the results are not. If it's a command you can run in Bash, you can probably trick the system into executing it. "rm -rf" isn't beyond imagining. Neither is "shutdown -h now." It really depends on what the attacker wants to accomplish, and that could be anything. As Barrett Lyon said in his blog yesterday, "expect the Internet to be a little messy for the next few months."
The good news is that for at least web-borne attempts to mitigate attacks there are a variety of options already available. System patches will of course be flying fast and furious, but we (and that includes the bad guys) all know it takes time to obtain, certify and deploy those patches. In the meantime it's imperative to put a stop to the attacks and that means you need something fast. Like, right now.
This is the kind of situation for which programmability is exceedingly well suited. While the attack varies depending on what the attacker is trying to do, the exploit depends on the consistent presence of four characters at the beginning of an HTTP header: () {. Scripting solutions - whether iRules or node.js with LineRate - can detect this pattern in any HTTP header and then be dealt with accordingly (while you may feel like crafting a cocky HTTP response to the request and you certainly can when you've got a programmable data path, it's never a good idea to poke a badger, m'kay? I suggest just rejecting the connection, but that's me).
Web Application Firewalls (WAF) are also going to be a boon in mitigating this attack vector through web applications. The requirement for the string composition to begin consistently means it's a good candidate for a signature. WAFs like BIG-IP ASM that support custom signatures can be used immediately to block these attacks. Bonus: WAFs are already adept at recognizing attempts to evade detection such as encoding and escaping of characters, both of which will likely be used more and more frequently as organizations begin to block exploit attempts.
No matter how you decide to mitigate this one, MITIGATE IT NOW. Yes, caps were necessary, especially given the news this summer that two months after public disclosure there were still 300, 000 servers vulnerable to Heartbleed. Heartbleed was bad, but Shellshock is badderest. Heartbleed was rated a CVSS v2 severity score of 5 and an impact of 2.9. Shellshock? A 10 on both counts. And I suspect that's only because the scale doesn't go to 11. Maybe it should.
F5 customers can track the status of F5 with respect to Shellshock as well as access both BIG-IP and LineRate mitigating solutions here.
Keep calm and mitigate.
Read the original blog entry...
Published October 12, 2014 Reads 6,265
Copyright © 2014 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Lori MacVittie
Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.
![]() Apr. 24, 2018 05:45 PM EDT Reads: 6,946 |
By Liz McMillan ![]() Apr. 24, 2018 05:15 PM EDT Reads: 5,619 |
By Elizabeth White Apr. 24, 2018 04:45 PM EDT Reads: 6,680 |
By Pat Romanski ![]() Apr. 24, 2018 04:30 PM EDT Reads: 7,127 |
By Pat Romanski Apr. 24, 2018 03:00 PM EDT Reads: 1,517 |
By Elizabeth White ![]() Apr. 24, 2018 03:00 PM EDT Reads: 13,377 |
By Elizabeth White Apr. 24, 2018 02:45 PM EDT Reads: 1,859 |
By Elizabeth White ![]() Apr. 24, 2018 01:30 PM EDT Reads: 4,224 |
By Elizabeth White Apr. 24, 2018 01:00 PM EDT Reads: 7,666 |
By Pat Romanski Apr. 24, 2018 01:00 PM EDT Reads: 2,482 |
By Yeshim Deniz Apr. 24, 2018 12:30 PM EDT Reads: 5,190 |
By Pat Romanski ![]() Apr. 24, 2018 12:15 PM EDT Reads: 5,520 |
By Pat Romanski ![]() Apr. 24, 2018 11:30 AM EDT Reads: 8,852 |
By Elizabeth White ![]() Apr. 24, 2018 11:15 AM EDT Reads: 7,178 |
By Yeshim Deniz Apr. 24, 2018 10:30 AM EDT Reads: 1,143 |
By Yeshim Deniz ![]() Apr. 24, 2018 10:00 AM EDT Reads: 2,022 |
By Pat Romanski Apr. 24, 2018 09:45 AM EDT Reads: 2,345 |
By Liz McMillan Apr. 24, 2018 09:30 AM EDT Reads: 2,711 |
By Elizabeth White ![]() Apr. 24, 2018 09:30 AM EDT Reads: 6,624 |
By Yeshim Deniz Apr. 24, 2018 09:15 AM EDT Reads: 2,839 |