On Tue, Sep 30, 2014 at 07:40:34PM -0700, coderman wrote:
On 9/30/14, Georgi Guninski <guninski@guninski.com> wrote:
... I find this _much_ worse than the passive Heartbleed.
How worse is the shellshock bash bug than Heartbleed?
a simplistic "shellshock worse than heartbleed" is mis-characterization of the situation.
first, this presents a vulnerability without context, by itself. in the real world, we care about vulnerability with respect to exploitation. usually many vulnerabilities are leveraged together in exploitation of notoriety.
in the sense of best practice and conservative security posture, heartbleed could be worse by far. a strongly keyed, defense in depth surreptitiously bypassed via bleeding. e.g. bleed UDP DTLS VPN to access internal network, bleed intranet HTTPS for admin credentials to critical infrastructure services.
the ability to send things to a bash shell, even restricted shell, even constrained behind application layers, was always seen as bad practice for security conscious configurations - insiders get shell, not untrusted inputs.
last but not least, this is all bullshit speculation; risk is a perspective and shellshock or heartbleed is better or worse depending on what you're looking at.
best regards,
P.S. #langsec asked how long you earth humans will be exchanging risky bits with strangers. i channeled djb and bet on "Forever!". [c.f. http://cr.yp.to/talks/2014.07.10/slides-djb-20140710-a4.pdf "Making sure software stays insecure"]
Might be wrong, but continue to disagree :) Suspect this is just the top of the shellshock iceberg: http://www.theregister.co.uk/2014/09/30/openvpn_open_to_shellshock_researche... OpenVPN open to pre-auth (in certain configurations). Btw, people scared by HB probably will get close to clinically paranoid if the next HB allows "write anywhere" ;) { :; } ;)