IBM Cloud Authors: Elizabeth White, Yeshim Deniz, Pat Romanski, Liz McMillan, Stefan Bernbo

Related Topics: @DevOpsSummit, Industrial IoT, Mobile IoT, IBM Cloud, Agile Computing, Cloud Security

@DevOpsSummit: Blog Post

Shellshock: Keep Calm and Mitigate | @DevOpsSummit [#DevOps]

Yes, it is that bad. But don't panic

Shellshock, appropriately and of course punnily named, is ravaging the Internet right now. Active exploits continue to grow in number and in complexity.

While there are multiple avenues through which this vulnerability can be exploited, the most active one at the moment appears to be via vulnerable Internet-facing systems running web applications.

Register For DevOps Summit FREE (before Friday) ▸ Here

These attacks take advantage of the lax constraints on HTTP headers that allow strings of nearly limitless length to be passed not just to the web server, but on to the system via CGI. Once passed, a 22 year old GNU Bash vulnerability allows the code embedded in the HTTP header to be executed.

patch-right-nowThat code can be just about anything. A quick GIS will net you hundreds of sites documenting actual attempts at exploits including complete shell scripts designed to download and execute other malicious content.

While the exploit mechanism is fairly simple, the results are not. If it's a command you can run in Bash, you can probably trick the system into executing it. "rm -rf" isn't beyond imagining. Neither is "shutdown -h now." It really depends on what the attacker wants to accomplish, and that could be anything. As Barrett Lyon said in his blog yesterday, "expect the Internet to be a little messy for the next few months."

The good news is that for at least web-borne attempts to mitigate attacks there are a variety of options already available. System patches will of course be flying fast and furious, but we (and that includes the bad guys) all know it takes time to obtain, certify and deploy those patches. In the meantime it's imperative to put a stop to the attacks and that means you need something fast. Like, right now.

This is the kind of situation for which programmability is exceedingly well suited. While the attack varies depending on what the attacker is trying to do, the exploit depends on the consistent presence of four characters at the beginning of an HTTP header: () {. Scripting solutions - whether iRules or node.js with LineRate - can detect this pattern in any HTTP header and then be dealt with accordingly  (while you may feel like crafting a cocky HTTP response to the request and you certainly can when you've got a programmable data path, it's never a good idea to poke a badger, m'kay? I suggest just rejecting the connection, but that's me).


Web Application Firewalls (WAF) are also going to be a boon in mitigating this attack vector through web applications. The requirement for the string composition to begin consistently means it's a good candidate for a signature. WAFs like BIG-IP ASM that support custom signatures can be used immediately to block these attacks. Bonus: WAFs are already adept at recognizing attempts to evade detection such as encoding and escaping of characters, both of which will likely be used more and more frequently as organizations begin to block exploit attempts.

No matter how you decide to mitigate this one, MITIGATE IT NOW. Yes, caps were necessary, especially given the news this summer that two months after public disclosure there were still 300, 000 servers vulnerable to Heartbleed. Heartbleed was bad, but Shellshock is badderest. Heartbleed was rated a CVSS v2 severity score of 5 and an impact of 2.9. Shellshock? A 10 on both counts. And I suspect that's only because the scale doesn't go to 11. Maybe it should.

F5 customers can track the status of F5 with respect to Shellshock as well as access both BIG-IP and LineRate mitigating solutions here.

Keep calm and mitigate.

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

IoT & Smart Cities Stories
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
DXWorldEXPO LLC announced today that "IoT Now" was named media sponsor of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. IoT Now explores the evolving opportunities and challenges facing CSPs, and it passes on some lessons learned from those who have taken the first steps in next-gen IoT services.
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...