02 October 2014
Cloudburst - the Shellshock Edition
By now many of you will have heard of the Shellshock vulnerability
exposed last week. Attempts to exploit the vulnerability are occurring
across most of the Internet. This vulnerability is of such a scale,
and of such an impact, and so easy to exploit, we'd like to dedicate
this edition of Cloudburst just to Shellshock.
There's a lot we need to cover:
- What is Shellshock? How do I protect against it? We're a Windows
shop so we're safe - not! - a detailed list of links providing you
with the context of the vulnerability and how to proceed
- Shellshock's impact on Studentnet - a detailed description of what
we observed in our operations and what it meant for us
- How Studentnet has responded - Improved security at Studentnet -
details on how we are adjusting our services to tighten security and
reduce exposure to further attack
What is Shellshock? How do I protect against it? We're a Windows shop
so we're safe - not!
The existence of the BASH vulnerability (now referred to as
"Shellshock") was revealed to the world on Wednesday September 24 by
Stephen Schazelas. The vulnerability was immediately notable for three
- It is extremely easy to exploit - no special access is required.
For instance a simple web HTTP request is sufficient to carry the
exploit. Moreover the syntax is extremely simple and the amount of
code is minimal
- The population of vulnerable systems is enormous - BASH is
everywhere and in everything from major servers, to desktops, to
mobile devices, to consumer grade network devices. The vulnerable
code has been in existence for over 20 years without being
previously detected - plenty of time to be spread far and wide. Plus
the exploit can be carried not just by HTTP but also by DHCP. So if
you have a network device (think wi-fi access point) distributing
DHCP in your network (and who doesn't?) then you could be open to
exploit. This is why even Windows shops are not safe.
- It is very *powerful* - simply put the scary phrase /"remote code
execution"/ is now possible. This can act as a stepping stone to
complete control of a system and hence the network.
As Studentnet learnt of Shellshock, we started maintaining a list of
references to aid in protecting ourselves. We are pleased to make that
reference available to our client community at
Finally, we should note that Shellshock is now a concern for all of
your organisation including principals and business managers. It is no
longer just a concern for the technical community. For instance the
Australian Privacy Commissioner has announced that businesses that do
not guard against Shellshock are in breach of the /Australian Privacy
Shellshock's impact on Studentnet
Studentnet first observed Shellshock on Thursday morning although at
the time we did not recognise it as being the BASH vulnerability. By
Friday morning we had compiled an inventory of vulnerable systems and
proceeded to patch our systems with the initial patch that was
Unfortunately the initial patch available to us on that Friday was not
100% watertight and itself was exploitable. Systems that we patched on
Friday were going to be vulnerable over the weekend.
At that point, we made the decision that it was too great a risk to
leave our most vulnerable system, being our shared web hosting server,
open and exploitable over the weekend whilst we waited for an improved
patch. Accordingly we shut down the shared web hosting server until a
better patch was available, hoping that this would be the case by
This meant that some school web sites were not available for the
weekend of September 27 and 28. Studentnet apologises for that outage
- in the circumstance we believed it to be the safest and most prudent
course of action.
Fortunately an improved patch became available by Monday September 29.
However even this patch is not completely secure. Instead of just
patching our system, Studentnet took the decision on Monday to rebuild
our most vulnerable systems from scratch. Only after we completely
rebuilt our systems did we bring our shared web hosting server back
online. By Monday afternoon all school web sites were back online.
Even today, Thursday October 2, the current level of
patches available from vendors are known to be NOT completely secured
against Shellshock, see
If you have any questions regarding this sequence of events please
feel free to contact us immediately.
How Studentnet has responded - Improved security at Studentnet
Studentnet believes that the Shellshock incident has only just begun.
It will take months, even possibly years, for this incident to
completely play out. Some people are referring to the Internet as now
being fundamentally broken. That view is probably too extreme but it
emphasises the need for us (collectively everybody) to improve our
With the words of the Australian Privacy Commissioner ringing loudly
in our ears and in the best interests of all of our school clients,
Studentnet is responding to the need for more accountable security by
tightening all access to our systems. Our first step is to introduce
the following rules to gain access to any of our systems:
- access will only be available from a fixed IP address - eliminates
the need to maintain open rules in our firewall
- authentication for access must be via key based mechanisms - reduces
possibility of brute force attacks to gain access
- file transfers to and from our systems will only be permitted via
SSH based mechanisms (eg SFTP, WinSCP etc) - enforces encrypted
These new disciplines will have greatest impact on the developers and
maintainers of your web site. Please ask them to contact
email@example.com to make arrangements appropriate to your
Studentnet believe the best way forward is to continue to partner
with our school clients to deliver the best possible outcome. We want
to ensure that the lines of communication are open. We want to work
with you to deliver pragmatic reliable service for all of our
products. The steps we have outlined above are a step forward to
improve security which we believe is the foundation for the delivery
of certainty and continuity.
Please feel free to contact us at any time to discuss how we can
accommodate your requirements and to explore options.
The Studentnet Team
ABN 90 001 966 892
Suite 1, 89 Jones St, Ultimo NSW 2007, Australia
Tel +61 2 9281 1626
NOC +61 2 9281 3905
Highly Commended: IPv6 - ANZIA Awards 2012