[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <54243BA1.5010908@redbarn.org>
Date: Thu, 25 Sep 2014 08:58:25 -0700
From: Paul Vixie <paul@...barn.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] Critical bash vulnerability CVE-2014-6271
> Philip Cheong <mailto:philip.cheong@...stx.se>
> Thursday, September 25, 2014 5:39 AM
> Worse that heartbleed?
i think so. more below.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>
> http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
heartbleed was a read-only privilege escalation, and i normally consider
privilege escalation vulns "worse than" remote code execution vulns. as
an example, the private key used by the SSL-enabled server was exposed
to read access, making heartbleed also a credential compromise vuln.
that's a high score because of all the second-order effects reachable
once you have a credential compromise.
however, i'd score this bash bug higher, because many online systems
have multiple privilege escalation vulns which are reachable once you
have remote code execution capability, and preventing remote code
execution is the "crunchy exterior" to the privilege escalation's "soft
gooey interior". (borrowing those quoted terms from cheswick et al,
"firewalls", first edition.)
the other reason to score the bash bug higher than heartbleed is the
several-orders-of-magnitude greater attack surface. systems that use
bash and put it in a data path (web CGI and dhcp client-side hooks being
examples) are far more numerous than systems which used openssl, and so
i expect the long term impact of this bash bug to be far greater than
from heartbleed.
the long tail problem, wherein many instances of this bash bug are not
inventoried, and of those inventoried, most are not field upgradeable,
and of those field upgradeable, most are operated without auditing. that
means: this bash bug will still be globally available to miscreants even
after all humans now living are dead and the world contains only our
descendants.
fixing apple and redhat and other systems we actually know about is the
easy, and insigificant, part of this puzzle.
--
Paul Vixie
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists