Heartbleed Was Bad, but Shellshock Was Worse, Researcher Says
At the OpenStack Summit, a researcher applied threat-modeling techniques to gauge the potential impact of a vulnerability.PARIS—At the OpenStack Summit here, a security researcher discussed the recent Heartbleed and Shellshock vulnerabilities and gave a score for the impact of each, based on a number of threat-modeling metrics. Both the Heartbleed and Shellshock bugs were open-source flaws found in many Linux distributions, and both had the potential to impact OpenStack cloud users. Heartbleed is a flaw in the OpenSSL crytographic library for secure transport while Shellshock is a vulnerability in the Bash shell. Threat modeling involves multiple techniques—each of which has its own acronym—to understand and quantify risk, explained Robert Clark, lead security architect at Hewlett-Packard Cloud Services. The first threat-modeling acronym is STRIDE, or Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service and Elevation of privilege. All those items are activities that attacks can attempt to execute when exploiting an organization.
Another key threat-modeling acronym that Clark detailed is DREAD, which stands for Damage potential, Reproducibility, Exploitability, Affected users and Discoverability.
Additionally, Clark noted that with Shellshock it was very difficult for many organizations to properly identify what parts of the infrastructure were affected by the flaw. In contrast, Heartbleed was somewhat narrower, impacting SSL-related data transport. Another flaw that Clark analyzed was XEN XSA-108, which is the Xen hypervisor flaw that caused Amazon, Rackspace and IBM to reboot their public clouds at the end of September. Though XSA-108 did not necessarily receive a branded name, such as Heartbleed and Shellshock, it had a greater impact, at least as rated by Clark's DREAD score. Clark gave XSA-108 a score of 4.3. "XSA-108 could have allowed virtual guests to read each other's data and cause all sort of horribleness," Clark said. "As a cloud provider, this was your worst nightmare." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.