The list of vulnerabilities that are collectively known as Shellshock keeps growing. There are many parallels to Heartbleed that have been widely noted, including the memorable names that distinguish them from the classic CVE. And while we try to assess which has the bigger impact, there are a few key distinctions that are worth noting:
- Announcement/Patch cycle: While some members of the security community were notified under embargo, the general announcement for Heartbleed was concurrent with the availability of the OpenSSL patch. This meant that the announcement started a frenzied patch cycle but for the most part, remedial activity was fairly focused. Shellshock, on the other hand, broke open without an upstream patch having been made available and even when the patch was released, it was clear early on that it was insufficient so the pervasive vulnerability persisted. This has been compounded by the series of other vulnerabilities that have been discovered in the days since.
- Stealth: Remember that the exploits with Heartbleed, ranging from login credential theft to getting a server to cough up it’s private keys from memory, was achievable more or less silently, with no activity that would be noted or logged by the typical system. Shellshock is a classic remote exploit vulnerability. Whether it involves getting co-opted into a bot or a more sneaky backdoor, some amount of coverage for the secondary activity is achieved through robust security practices. For this reason alone, Heartbleed remains the scarier vulnerability in my books.
- Surface Area: Heartbleed was a direct, frontal assault on OpenSSL. Shellshock affects a range of services with very little in common, other than the use of Bash. This will no doubt lead to an extended remediation cycle for Shellshock.
- Ease of Use: The number of exploitation techniques for Shellshock has proliferated over the last few days and the first bot proof-of-concept code was published within hours of the vulnerability having been announced. Widespread familiarity with the utilities involved (Apache, Bash etc) has meant that there’s a lot of experimentation going on. Heartbleed exploits certainly evolved too but the deviation from the original POCs was limited.
This isn’t meant to be a comprehensive list but some differences in impact that are emerging even as we understand the full ramifications.