Studentnet News

02 October 2014

Cloudburst - the Shellshock Edition

By now many of you will have heard of the Shellshock vulnerability exposed last week. Attempts to exploit the vulnerability are occurring across most of the Internet. This vulnerability is of such a scale, and of such an impact, and so easy to exploit, we'd like to dedicate this edition of Cloudburst just to Shellshock.

There's a lot we need to cover:
  • What is Shellshock? How do I protect against it? We're a Windows shop so we're safe - not! - a detailed list of links providing you with the context of the vulnerability and how to proceed
  • Shellshock's impact on Studentnet - a detailed description of what we observed in our operations and what it meant for us
  • How Studentnet has responded - Improved security at Studentnet - details on how we are adjusting our services to tighten security and reduce exposure to further attack

What is Shellshock? How do I protect against it? We're a Windows shop so we're safe - not!

The existence of the BASH vulnerability (now referred to as "Shellshock") was revealed to the world on Wednesday September 24 by Stephen Schazelas. The vulnerability was immediately notable for three reasons:
  1. It is extremely easy to exploit - no special access is required. For instance a simple web HTTP request is sufficient to carry the exploit. Moreover the syntax is extremely simple and the amount of code is minimal
  2. The population of vulnerable systems is enormous - BASH is everywhere and in everything from major servers, to desktops, to mobile devices, to consumer grade network devices. The vulnerable code has been in existence for over 20 years without being previously detected - plenty of time to be spread far and wide. Plus the exploit can be carried not just by HTTP but also by DHCP. So if you have a network device (think wi-fi access point) distributing DHCP in your network (and who doesn't?) then you could be open to exploit. This is why even Windows shops are not safe.
  3. It is very *powerful* - simply put the scary phrase /"remote code execution"/ is now possible. This can act as a stepping stone to complete control of a system and hence the network.

As Studentnet learnt of Shellshock, we started maintaining a list of references to aid in protecting ourselves. We are pleased to make that reference available to our client community at http://studentnet.net/security.php

Finally, we should note that Shellshock is now a concern for all of your organisation including principals and business managers. It is no longer just a concern for the technical community. For instance the Australian Privacy Commissioner has announced that businesses that do not guard against Shellshock are in breach of the /Australian Privacy Act/.

Shellshock's impact on Studentnet

Studentnet first observed Shellshock on Thursday morning although at the time we did not recognise it as being the BASH vulnerability. By Friday morning we had compiled an inventory of vulnerable systems and proceeded to patch our systems with the initial patch that was available.

Unfortunately the initial patch available to us on that Friday was not 100% watertight and itself was exploitable. Systems that we patched on Friday were going to be vulnerable over the weekend.

At that point, we made the decision that it was too great a risk to leave our most vulnerable system, being our shared web hosting server, open and exploitable over the weekend whilst we waited for an improved patch. Accordingly we shut down the shared web hosting server until a better patch was available, hoping that this would be the case by Monday.

This meant that some school web sites were not available for the weekend of September 27 and 28. Studentnet apologises for that outage - in the circumstance we believed it to be the safest and most prudent course of action.

Fortunately an improved patch became available by Monday September 29. However even this patch is not completely secure. Instead of just patching our system, Studentnet took the decision on Monday to rebuild our most vulnerable systems from scratch. Only after we completely rebuilt our systems did we bring our shared web hosting server back online. By Monday afternoon all school web sites were back online.

Please note: Even today, Thursday October 2, the current level of patches available from vendors are known to be NOT completely secured against Shellshock, see http://www.crn.com.au/News/396395,bash-bug-cisco-juniper-to-issue-emergency-updates.aspx
If you have any questions regarding this sequence of events please feel free to contact us immediately.

How Studentnet has responded - Improved security at Studentnet

Studentnet believes that the Shellshock incident has only just begun. It will take months, even possibly years, for this incident to completely play out. Some people are referring to the Internet as now being fundamentally broken. That view is probably too extreme but it emphasises the need for us (collectively everybody) to improve our operations.

With the words of the Australian Privacy Commissioner ringing loudly in our ears and in the best interests of all of our school clients, Studentnet is responding to the need for more accountable security by tightening all access to our systems. Our first step is to introduce the following rules to gain access to any of our systems:
  • access will only be available from a fixed IP address - eliminates the need to maintain open rules in our firewall
  • authentication for access must be via key based mechanisms - reduces possibility of brute force attacks to gain access
  • file transfers to and from our systems will only be permitted via SSH based mechanisms (eg SFTP, WinSCP etc) - enforces encrypted communication.
These new disciplines will have greatest impact on the developers and maintainers of your web site. Please ask them to contact support@studentnet.net to make arrangements appropriate to your school.

Conclusions

Studentnet believe the best way forward is to continue to partner with our school clients to deliver the best possible outcome. We want to ensure that the lines of communication are open. We want to work with you to deliver pragmatic reliable service for all of our products. The steps we have outlined above are a step forward to improve security which we believe is the foundation for the delivery of certainty and continuity.

Please feel free to contact us at any time to discuss how we can accommodate your requirements and to explore options.

Best Regards
The Studentnet Team

STUDENTNET®     ABN 90 001 966 892
Suite 1, 89 Jones St, Ultimo NSW 2007, Australia
Email: info@studentnet.net     Site: studentnet.net
Tel +61 2 9281 1626         NOC +61 2 9281 3905
Highly Commended: IPv6 - ANZIA Awards 2012