Mu [was: How worse is the Shellshock bash bug than Heartbleed?]

[Georgi Guninski]

On Tue, Sep 30, 2014 at 07:40:34PM -0700, coderman wrote:
> On 9/30/14, Georgi Guninski <guninski at guninski.com> wrote:
> > ...
> > I find this _much_ worse than the passive Heartbleed.
> >
> > How worse is the shellshock bash bug than Heartbleed?
> 
> 
> a simplistic "shellshock worse than heartbleed" is
> mis-characterization of the situation.
> 
> first, this presents a vulnerability without context, by itself. in
> the real world, we care about vulnerability with respect to
> exploitation. usually many vulnerabilities are leveraged together in
> exploitation of notoriety.
> 
> in the sense of best practice and conservative security posture,
> heartbleed could be worse by far. a strongly keyed, defense in depth
> surreptitiously bypassed via bleeding. e.g. bleed UDP DTLS VPN to
> access internal network, bleed intranet HTTPS for admin credentials to
> critical infrastructure services.
> 
> the ability to send things to a bash shell, even restricted shell,
> even constrained behind  application layers, was always seen as bad
> practice for security conscious configurations - insiders get shell,
> not untrusted inputs.
> 
> last but not least, this is all bullshit speculation; risk is a
> perspective and shellshock or heartbleed is better or worse depending
> on what you're looking at.
> 
> best regards,
> 
> 
> P.S. #langsec asked how long you earth humans will be exchanging risky
> bits with strangers.  i channeled djb and bet on "Forever!". [c.f.
> http://cr.yp.to/talks/2014.07.10/slides-djb-20140710-a4.pdf "Making
> sure software stays insecure"]

Might be wrong, but continue to disagree :)

Suspect this is just the top of the shellshock iceberg:
http://www.theregister.co.uk/2014/09/30/openvpn_open_to_shellshock_researcher/
OpenVPN open to pre-auth (in certain configurations).

Btw, people scared by HB probably will get close to clinically 
paranoid if the next HB allows "write anywhere" ;) { :; } ;)