Dailydave mailing list archives
Re: Soap and showers
From: Ron Gula <rgula () tenable com>
Date: Fri, 26 Sep 2014 23:13:28 +0000
Machines that invoke bash from httpd pose a risk. Same thing goes for machines that have had a core dump of bash in the last few days. You can get that sort of data from a variety of methods, but in organizations where the scanner team doesn’t know the SIM/logging team, good luck. I also find a strong correlation in security teams that were looking for a single non-credentialed “heartbleed” style check for this vulnerability and a lack of ability to get the creds to perform the scan or get the logs from the SIM guys. Ron Gula | CEO Tenable Network Security rgula () tenable com On September 26, 2014 at 2:52:51 PM, Dave Aitel (dave () immunityinc com<mailto:dave () immunityinc com>) wrote: So most of the bash bug solutions I've seen/talked to people about look at "Vulnerability Management" as just that: essentially an extension to your patching program. But in this case, nearly every machine is vulnerable. However, almost NO machines pose a real risk. Everyone has soap in their shower, and yet so few people slip to their death in the morning! This weird dichotomy between things that are vulnerable, and things that are at risk, is a real problem with the bash bug and right now it's being solved with consulting hours for most people. How do you go to the SEC and say "90% of our infrastructure is vulnerable"? Answer: You don't. Your Vulnerability Management tools is worthless right now. An authenticated or credentialed scan with a Vulnerability Management tool has always had this issue. Nobody knows whether they are in fact at risk for any issue found with that scan! Perhaps your AV protects you? Perhaps that port is blacklisted with the HIDS and nobody can touch it. But the bash bug really highlights this in a way that drives it home to executives, we've found. Basically, with external anonymous scanning you have a high false positive rate. That's bad. But with credentialed scanning, you have no false positives, but also a very low confidence that the results are meaningful. This is even worse, in some cases. ("Oh you wanted vulnerabilities that MATTERED? That's Risk Management, and it's extra!") Such a strange thing. -dave ________________________________ _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Soap and showers Dave Aitel (Sep 26)
- Re: Soap and showers Ron Gula (Sep 29)