I was Shellshocked last week.
Ever since the announcement of the Shellshock vulnerability (also known as the Bash vulnerability) in late September, I have been very busy. As you’re probably aware, the Shellshock vulnerability is prevalent in systems that are based on the Linux operating system.
Unfortunately for those of us that have to deal with the vulnerability, the Linux operating system is used in lots of devices that we don’t normally think of as computers, so they don’t fall into a normal patching routine. I suppose it’s so widely used because it’s free, making it attractive as a platform for vendors to use when they set out to create a new product, from toasters to cars. But for many of those products, the Linux operating system is way more complex than what they really need. On my network, I found it in network devices, load balancers and even a couple of my favorite security products. And one of those was my firewall!
I also found the Shellshock vulnerability in my building’s door access-control system (and that’s the same building access-control system I recently wrote about that was hooked up to an old PC running its management software). It’s connected to the network, but it’s not part of the normal computing infrastructure, so it is just as vulnerable to Shellshock as anything else. For this and other specialized devices, I’ve had to reach out to the vendors to obtain firmware updates. I’ve been successful at getting updates from most of my company’s vendors, so my team has been busy applying updates. Trouble is, some of the devices I had to update were not well supported by the vendor, because they’re not the kinds of things you would normally think of applying updates to. That door controller, for instance, is a simple device that translates inputs from our badge readers to the access-control system, and back to the door locks. That’s not something we normally mess around with.
I hate to think what malicious attackers could do if they exploited the Shellshock, or any vulnerability, on these door controllers. For example, could they lock people into their offices? Or could they monitor the movements of our staff? Maybe even unlock the doors so they could sneak in the building at night and steal from my company?
Not a good time
There’s never a good time to drop everything and deal with a new security vulnerability, of course. Still, this is a particularly bad time for something like this to come up. I’m right in the middle of several major projects, while trying to find time to plan for next year’s budget, and dealing every day with a threat landscape that seems to force my firewall to block more attacks than ever (as I recently wrote about).
But what really worries me is that it seems as if the pace at which major, pervasive vulnerabilities like Shellshock and Heartbleed are discovered seems to be increasing, along with the severity of those vulnerabilities. Am I going to have to expect to drop everything, every couple of months, to fix some new major vulnerability? If so, I’m going to need more staff, resources and budget.
We live in interesting times. I’m starting to understand how that can be a curse.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, click here.