[Dailydave] Soap and showers

Ron Gula rgula at tenable.com
Fri Sep 26 19:13:28 EDT 2014

Machines that invoke bash from httpd pose a risk. Same thing goes for
machines that have had a core dump of bash in the last few days.  You
can get that sort of data from a variety of methods, but in organizations
where the scanner team doesn’t know the SIM/logging team, good luck.

I also find a strong correlation in security teams that were looking for
a single non-credentialed “heartbleed” style check for this vulnerability
and a lack of ability to get the creds to perform the scan or get the
logs from the SIM guys.

Ron Gula | CEO
Tenable Network Security
rgula at tenable.com

On September 26, 2014 at 2:52:51 PM, Dave Aitel (dave at immunityinc.com<mailto:dave at immunityinc.com>) wrote:

So most of the bash bug solutions I've seen/talked to people about look
at "Vulnerability Management" as just that: essentially an extension to
your patching program. But in this case, nearly every machine is
vulnerable. However, almost NO machines pose a real risk. Everyone has
soap in their shower, and yet so few people slip to their death in the

This weird dichotomy between things that are vulnerable, and things that
are at risk, is a real problem with the bash bug and right now it's
being solved with consulting hours for most people. How do you go to the
SEC and say "90% of our infrastructure is vulnerable"? Answer: You
don't. Your Vulnerability Management tools is worthless right now.

An authenticated or credentialed scan with a Vulnerability Management
tool has always had this issue. Nobody knows whether they are in fact at
risk for any issue found with that scan! Perhaps your AV protects you?
Perhaps that port is blacklisted with the HIDS and nobody can touch it.
But the bash bug really highlights this in a way that drives it home to
executives, we've found.

Basically, with external anonymous scanning you have a high false
positive rate. That's bad. But with credentialed scanning, you have no
false positives, but also a very low confidence that the results are
meaningful. This is even worse, in some cases. ("Oh you wanted
vulnerabilities that MATTERED? That's Risk Management, and it's extra!")

Such a strange thing.


Dailydave mailing list
Dailydave at lists.immunityinc.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140926/a69a386f/attachment.html>

More information about the Dailydave mailing list