Heartbleed Was Bad, but Shellshock Was Worse, Researcher Says

At the OpenStack Summit, a researcher applied threat-modeling techniques to gauge the potential impact of a vulnerability.

Heartbleed vs. Shellshock

PARIS—At the OpenStack Summit here, a security researcher discussed the recent Heartbleed and Shellshock vulnerabilities and gave a score for the impact of each, based on a number of threat-modeling metrics.

Both the Heartbleed and Shellshock bugs were open-source flaws found in many Linux distributions, and both had the potential to impact OpenStack cloud users. Heartbleed is a flaw in the OpenSSL crytographic library for secure transport while Shellshock is a vulnerability in the Bash shell.

Threat modeling involves multiple techniques—each of which has its own acronym—to understand and quantify risk, explained Robert Clark, lead security architect at Hewlett-Packard Cloud Services.

The first threat-modeling acronym is STRIDE, or Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service and Elevation of privilege. All those items are activities that attacks can attempt to execute when exploiting an organization.

Another key threat-modeling acronym that Clark detailed is DREAD, which stands for Damage potential, Reproducibility, Exploitability, Affected users and Discoverability.

"DREAD is a simple scoring system," Clark said. "A low number doesn't matter that much, a high number matters a lot."

For the Hearthbleed flaw, Clark noted that from a STRIDE perspective, there was the risk of information disclosure. From a DREAD score, he noted that the vulnerability was easily exploitable, discoverable and reproducible. Clark, who gave the Heartbleed vulnerability a 4.1, noted that anything more than 4 is considered very bad.

"Heartbleed caused a lot of headaches for a lot of people," Clark said.

However, the Shellshock flaw, which Clark gave a DREAD score of 4.2, was worse. As an example, a DHCP client could get bad information from a server that could potentially compromise an entire data center.

"The reason why it gets such a high DREAD score is it allowed an attacker to subvert the system itself," Clark said. "Heartbleed was terrible, but all it allowed an attacker to do is recover credentials and then interact with the system."
Additionally, Clark noted that with Shellshock it was very difficult for many organizations to properly identify what parts of the infrastructure were affected by the flaw. In contrast, Heartbleed was somewhat narrower, impacting SSL-related data transport.

Another flaw that Clark analyzed was XEN XSA-108, which is the Xen hypervisor flaw that caused Amazon, Rackspace and IBM to reboot their public clouds at the end of September.

Though XSA-108 did not necessarily receive a branded name, such as Heartbleed and Shellshock, it had a greater impact, at least as rated by Clark's DREAD score. Clark gave XSA-108 a score of 4.3.

"XSA-108 could have allowed virtual guests to read each other's data and cause all sort of horribleness," Clark said. "As a cloud provider, this was your worst nightmare."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.