Shellshock BASH vulnerability – our take

2nd October 2014

The hot news of the last few days has been the discovery of a major vulnerability in the BASH command shell. The BASH shell is hugely prevalent and is used on a massive number and quantity of operating systems and devices. Pretty much all flavours of Linux, Android, Mac OSX and numerous other systems all use BASH.

So, how serious is this discovered vulnerability? In one word, massively. In two words, worrying massively. The issue that has been uncovered basically allows an attacker to run remote commands on the affected device and potentially get it to do anything they like. For example – restart, format a hard disk, copy some files to an external server. All very, very, very bad news.
In this manner, it is actually worse than the well documented Heartbleed issues of a few months ago. Whilst Heartbleed was also extremely serious the issues it caused allowed data on the impacted device to be accessed, not for commands to be run. Shellshock in this regard, is pretty much as bad as it gets.

The Shellshock issue reaches new levels of seriousness because of the wide variety of platforms that utilise BASH. Web Servers. Infrastructure devices like routers, switches and firewalls. Other platforms that make use of Linux operating systems including telephony servers. Everybody will have at lease one device that is potentially vulnerable. Many large customers will have hundreds or thousands.

So what do we do about it? The simple answer is patch the impacted systems with fixed software. However, this is only half the story. In many instances equipment vendors provide customized versions of operating systems and customers will have to wait for them to provide patches. It is however 100 percent certain that a lot of equipment out there is end of support and vendors will not provide updated software.

It is however worth at this stage pointing out a few additional things. The vast majority of infrastructure devices require authentication before scripts or commands can be run through either their embedded web servers or direct SSH access. This means that to successfully exploit this vulnerability the attacker must have valid credentials on the devices. In many situations devices will only have a single userid / password for administration – so the attacker must have these account details. If they have these, then they have full control of the device regardless of this issue so Shellshock is not massively relevant.

Further, most devices are (or should be) behind a firewall. This means that direct access from the Internet to them is not possible. Again, this to some level mitigates the seriousness of the situation for some people.

Where Shellshock is a massive issue is for public facing web sites. Any web site running on a Linux platform with a vulnerable version of BASH needs to be patched immediately. Exploits of the Shellshock issue are already being observed on the public Internet. Whilst in many cases these are just scans to see if systems are vulnerable, and not being active malicious, it is only a matter of time before this changes. Any other systems (e.g. web cameras, mail servers) that are directly accessible from the Internet should be analysed to see if they are vulnerable, and if so patched.

Shellshock is extremely serious, and it will impact all of us. We all need to look at the systems we are running to see if they are vulnerable and mitigate this issue if they are. The only real solution is by fixing the faulty software however as we have discussed, there are some other mitigation considerations that should be looked at. However, ignoring it is not an option.

Barry Hesk

Cisco Communications Manager 8.6 Licenses End of Sale

A few weeks ago, buried in a slew of other end of sale announcements from Cisco was the end of Communications Manager (CUCM) 8.6 licenses. No big deal right? After all, CUCM 9 and CUCM 10 are now out in the field and are being used for new deployments.

Actually, yes, it is a big deal and is going to result in a load more disappointed, and disillusioned Cisco customers. Some of which will abandon the good ship Cisco for good.

There are numerous older deployment of CUCM (version 7.1 through 8.6) out there, and they are working perfectly well. Once the CUCM 8.6 licenses are no longer available (January 2015), customers will not be able to add new users to these systems – unless they upgrade to a newer version first. If customers haven’t kept on top of their horrifically complicated and expensive UCSS and ESW entitlements, this means they will need to pay for these upgrades. Through the nose. This could result in bills of tens of thousands of pounds / dollars just to add a few users.

I suspect a lot of customers won’t bother and this will provide yet more acceleration in the number of enterprises abandoning Cisco for telephony and moving in the direction of Lync. After all, if Cisco are going to force you to do an upgrade you don’t want to do, wouldn’t you consider alternatives?

Cisco just don’t get it. They just don’t listen. They just don’t learn from their mistakes. The issues with licensing on their UC products are entirely of their own making, and as usual, it’s their customers and partners that bear the brunt of it. When the highlights of a new major release are a new licensing model you know that something has gone badly wrong somewhere down the line. Is it technically impossible for Cisco to come up with a licensing mechanism that is backwards compatible with older versions?

We fully understand why CUCM 8.6 licensing would be end of sale for new deployments. We totally get that, and we haven’t been deploying 8.6 for well over a year. But to end of sale older license versions just because you want to force your customers to upgrade their systems is commercial suicide.

Sadly, none of this is surprising. It’s happened before. We had a client with MeetingPlace Express 2.1 and they were totally happy with it. They wanted to add more licenses which would have cost about 2.5K USD. Cisco’s response “oh no, you can’t do that – those licenses are end of sale. You need to upgrade to full blown MeetingPlace”. The cost – over 30k USD. Customer deployed Lync conferencing instead. They’ve now removed CUCM.

It’s licenses we’re talking about here. Nothing physical. No hardware. It’s just having the ability to generate a license key for an older version of software. Why do they feel the urge to end of sale them? Of course, they make significant amounts of money forcing customers to upgrade.

To repeat. Cisco just don’t get it. They just don’t listen. They just don’t learn from their mistakes.

Barry Hesk

Is the BYOD revolution over?

Is the BYOD Revolution Over?

26th June 2014

Two to three years ago, Bring Your Own Device (BYOD) was THE hot topic. IT Managers were giving it to their users clamors to use their own devices at work. In many occasions this was the result of Execs wanting to use their iPads and iPhones at work.

All of a sudden a BYOD policy was required to allow all users to use their own devices. FDs thought it would decrease costs – as the company would no longer have to fork out on mobile devices for the employees.

Overlay technology rapidly sprung up to attempt to provide the degrees of control that legacy products such as, cough, Blackberry had delivered. None of these came cheap. Not all of them worked very well. Problems of data security, and data loss prevention started to rear their ugly heads – users were storing sensitive company data on their personal devices.

Slowly, but surely, conversations with our clients have uncovered that the tide seems to be turning. No longer is an assumption that a business NEEDS a BYOD policy automatic. The cost saving myth has been torpedoed. By the time overlay management products and solutions are implemented, the numbers just don’t really look attractive. The security issues are a head ache. Users started losing devices with company data on them – and remotely wiping a user’s iPhone is not something that a business can automatically mandate.

As with all things in IT, sooner or later, the wheel turns full circle. Blackberry won’t be back any time soon (if ever),  but users having to use company issued devices looks like it is coming back round again.