Shellshock, and more recently Poodle, are names that you may have heard recently on the Internet. As it may not be very explicit for you, these simple names hide behind awful security flaws. 2014 has been a bad year in this concern, as a lot of security flaws, and some very bad ones has been disclosed.
Before I introduce you to these flaws that made the internet shake, let’s just remember what security flaws are. Those are bugs, in some software used to make the website work, which allow behavior that would make the website less secure. These flaws can be simple or complicated, dangerous or not. They can allow deny-of-service (making a website unaccessible), data interception (one placing himself between you and a server and stealing, or even worse, replacing data – sometimes even on a secured connection) or remote execution (providing the ability for one attacker to run unattended commands on a server). These flaws can exist in the software for a long time, maybe known by a handful of people at some time – just hope that those people are security researchers and not hackers – and are often not known until they are disclosed – when the flaw is made public. At this moment, attacks are getting worse, and patching or updating is compulsory if you want your data to stay safe and your customers to stay happy.
Let’s review some of these flaws that were disclosed during the year:
This flaw, as its name says, will leak data that concern the core of the SSL library, the one that is supposed to encrypt your data between you and the server. This flaw hits the OpenSSL library, a popular open-source library used in a lot of software used on the web, so the impact of this flaw was very important.
Heartbleed allowed an attacker to get the private key of a server. This key is used by the server to decrypt the data that the client sends to him. Without this key, it’s impossible to decrypt the secured data between the client and the server. And, as its name tell us, it’s supposed to be kept private. But Heartbleed allowed to get data from server memory by sending very specific packets: this way, the attacker could get data from server memory, like passwords or other sensitive information, or worse, the famous private key, which would allow the attacker to decrypt data stolen from a secured connection or impersonating the legit owner of the key.
The flaw was quickly patched, either by OpenSSL team or the operating system teams who provide their OpenSSL binaries, but being vulnerable meant that you had to get a new certificate, as you don’t know if the old one was compromised. This also was bad news for OpenSSL project. Pointing structural flaws and poor architecture of the project, the OpenBSD team decided to make its own version of OpenSSL, LibreSSL, stripped down of lot of legacy code and cleaning the project, possibly avoiding future problems of the same kind, and should be accessible in the next months.
If you want to know how it works, the XKCD blog has a very well done explanation on the subject. See it here.
All people saying that Heartbleed was the worse security flaw were proven wrong when Shellshock was disclosed. When the former allowed to just read some data from memory, shellshock allows people to execute arbitrary commands on a remote server. Which can allow all sorts of attacks, gathering data, taking the server down, defacing sites, and so much more… And the worse part of this: this flaw has been present for years.
The shellshock flaw hits the bash software, a UNIX shell. This is a piece of software is responsible of running programs, either from user side than from some software, and is widely used by web servers to run the sub-processes responsible of webpage generation. The flaw touches the environment: some data, transmitted from programs to programs, used to transmit useful information. In the case of a web server, it is used to transmit all information from the request (what page does the user wants, what is its browser, what page he was visiting before, …) to the next programs.
The problem here is that bash added a long time ago (1989) that allowed to use environment to pass functions, some pieces of code that can be called by the shell to do some tasks. This feature can be useful and is not itself the source of the problem: in our case, bash should just pass the environment from server to page generation script and never use these functions. But here’s the point: if the function code is correctly written, it can force bash to run code on its launch, which is not desirable. It means that a person can simply ask for a webpage and set an HTTP header to a specially crafted value, and when bash will read the environment containing the malicious data, it will try and execute it as the web server. Which allows a very large range of attacks to be performed.
Worse, as patches to fix this problem were published, new ways of exploiting the bug were found and needed new patches. Were Heartbleed was summed in one security report (CVE), shellshock bug has 6 security records – so 6 different flaws – allowing arbitrary data execution. And we don’t know if more are to come.
This flaw mainly hit Linux servers who used bash for all sort of operations on the server. Patches were made quickly to fix this problem and block further attacks. Apple, which uses bash too in its OS X system, released its first ever security patch for bash, even if macs should not be vulnerable if advanced services were not enabled.
Poodle is a flaw in the SSLv3 protocol. And it is a big issue as it is a design flaw and not a software flaw: it can’t be patched. So it’s the whole protocol that should be thrown away.
The flaw allows an attacker stealing a secured connection to decrypt its data. This would allow to intercept sensitive data, as passwords or bank card numbers, or cookies allowing the attacker to steal an open session on sensitive website and impersonate the victim.
This problem is created by a weak validation of the transmitted data which leaves open this attack. The solution is simple: completely forget SSLv3 and use TLS to make connections, as this revision of the secure layer does additional and stronger validation of the data, making this flaw impossible. If you use recent software, you should already be using TLS. If not, it’s time to update.
The web security is a very hot subject. Each second, web servers are attacked and data are stolen. Each minute, a new big flaw can be discovered, leading to new sort of attacks and insecurity of your data. Of course, security researchers are always on the deck to discover and fix these flaws; but so are attackers, and their goal is not to fix these flaws. Is your data safe? Maybe. The web does its best to keep you in a protected space, but as you can see above, there are some big unexpected incidents in the plan.