One year ago, a new vulnerability (CVE-2014-6271) affecting the Bourne Again Shell (Bash) was announced and given the moniker “Shellshock.” Despite the initial concerns that this vulnerability could lead to widespread attacks and compromises, there were no “Conficker-type” attacks. But it would be a mistake to conclude that “Shellshock” was just marketing hype. A look at the data after one year shows that Shellshock was an indeed serious vulnerability and has been under active attack. It may be easy and attractive to dismiss neatly packaged and marketed vulnerabilities as hype when broad attacks fail to materialize, but we do so out our own risk.
When Shellshock was disclosed a year ago it was called potentially bigger than Heartbleed, the major OpenSSL vulnerability disclosed a few months earlier in April 2014. From a technical point of view, Shellshock WAS bigger than Heartbleed: the scope of affected systems for Shellshock was bigger. Heartbleed only affected systems using OpenSSL where Shellshock affected systems with bash installed. In terms of numbers of potential victims, Shellshock was bigger than Heartbleed.
But in the weeks and months that followed the disclosure of the vulnerability and the release of patches, no major outbreaks occurred. There were definitely attacks as our researchers outlined. But there weren’t attacks on par with something like Conficker.
Indeed, Shellshock pretty much dropped off everyone’s radar by November 2014: no major attacks and no major developments in the story.
So, does that mean we were wrong and it wasn’t that big a threat?
No, it doesn’t.
First, by objective vulnerability analysis criteria, Shellshock was literally at the top of the scale for severity. Under the CVSS V2 score, Shellshock was rated at 10.0, the top of the scale. By contrast, Heartbleed was rated at 5.0. Scoring vulnerabilities is notoriously hard but 10.0 is clear: by the technical criteria this was a major vulnerability and worse than Heartbleed.
Second when we talk about vulnerabilities we’re talking about the potential for attacks. Anyone that has spent time in the world of vulnerabilities and attacks can tell you that there’s not a direct 1:1 correlation between the severity of a vulnerability and the severity of attacks against the vulnerability. Sometimes there have been major attacks against relatively minor vulnerabilities while major vulnerabilities go untouched. Just because a threat is unrealized doesn’t mean the threat’s not there.
Finally, responding to vulnerabilities is tricky because when there’s a major threat, if you do your job right, nothing bad happens. In a way, success can inherently breed suspicion about the entire process: if nothing bad happened how can I be sure the exercise actually prevented anything? This is one reason why, over time, attackers are much more successful using old, not-well-publicized vulnerabilities for their attacks: administrators are less likely to know about them and so patch them.
But the question of whether we were wrong is answered most of all by the data our researchers have shown today in the current blog, “One Year After Shellshock, Are Your Servers and Devices Safer?” There HAVE been attacks against Shellshock over the past year. They’re just not broad attacks. But the attacks are out there and if you’re the victim of an attack, it doesn’t matter if anyone else is affected or not: you’re affected and that’s all that matters. It’s also worth noting that attacks likely haven’t been in the news much because our analysis shows that North America only accounts for less than 14% of successful Shellshock attacks after a year. Since the US is disproportionately spared from Shellshock attacks, it makes sense these wouldn’t be in the news here.
One year later, with seemingly few systems hit by attacks against the Shellshock vulnerability, it’s easy to dismiss the situation as a non-event, the warnings as hype and vow “wont’ get fooled again”. Indeed, it’s tempting to cite the story of the “boy who cried wolf” to those of us in security. But while that story has important lessons, they don’t apply here. Vulnerability handling is like paying for insurance: you do it in the hopes that nothing comes as a result of it or in spite of it. We shouldn’t let the success of Shellshock lull us into complacency so that the next major vulnerability does see broad attacks. That would be taking the wrong lesson from this event one year later.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.