What is something I learned this week?
I spent some time preparing for a Security presentation with Google, Palo Alto Networks, and Proofpoint. I had an opportunity to focus on cloud security, which was interesting to review and prepare for. One concept I came up with was just how simple it is to create a virtual machine instance in one of the cloud providers that comes pre-loaded with a stack of software. For example, a very popular organization called Bitnami will prepare packages that will include a bundle of components designed for a specific purpose such as an Apache Web Server. It occurred to me that if you are not careful, you could have people in an organization using these pre-bundled operating systems to deploy a variety of open source tools.
All of these tools, and software components require patching as very frequently exploits will be found that can expose the operating system to privilege escalation type of attacks. Now, this may not be a problem if the attack only exposes that particular operating system and there is really nothing to protect. For example, a test web server for some new application being developed. I think the challenge is that test servers can sometimes quickly become production servers and might have sensitive information being transferred through them, temporarily stored on them and potentially have access to other production machines. With the proliferation of this type of machine created to rapidly improve development times is certainly a main attraction point to the cloud. I created a blog site on Amazon and it only took me about 12 minutes to do! Certainly a big improvement over my previous experiences with web server deployments!
However with speed and simplicity comes risk, and that is certainly true. I spent a few hours looking for examples of security breaches that have come from these types of privilege escalation using exploits from open source components. On a hunch, I started searching for examples of breaches that have occurred in relation to Apache, Java, or some type of PHP framework. My search very quickly came to the Apache Software Foundation security issue related to Struts calledÂ CVE-2017-5638. This is famous because this exploit was most likely the culprit behind the Equifax breach announcement on July 29th 2017.
I do not think that Equifax had this deployed in a cloud environment. However they had it deployed on a web server(s) that was running a web service that I think had something to do with the credit dispute function on their website. I am assuming the developers of this function were utilizing the AJAX like use of Struts and was speeding up their development process. I do not know the internal history, but I can almost hear the request – we need to put that into production now! Despite objections – there it goes. In production.
An exploit is discovered, officially announced an immediately there are thousands of warez sites publishing a quick and easy way to take advantage of the exploit. You simple run the utility and point it at a range of IPs and it starts sending simple HTTP post commands that Struts would respond to with a simple embedded linux system admin command such as “whoami” and when a machine response with success – well then it is game on. That did not take very long in case of the Equifax incident. With in 3 short months, someone had already ran a command on the webserver with instructions for it to download a binary, change the permissions on that binary and then run it. Not sure what it did exactly, but apparently the application was able to transfer millions of clients personal data to an untrusted source.
If I had the time, I would research just how many exploits are released per day, per week, per month coming from software frameworks like Struts. That would be revealing. Even with automated tools to patch systems, detect and prevent exploits – it is really difficult to patch everything on every webserver that is actually designed to listen to as many HTTP commands as possible. Multiply that thousands of webservers, with thousands of exploits being released all the time and you have yourself what we call an exponential problem.
Here in lies the challenge with Cloud Security. The weakest link is going to be every software component installed right along with the packages that are included with the virtual machine instance your teams are creating every day, every week, every hour. You want them to move fast, to accelerate innovation and they are – but you have to deal with the fact that the speed of innovation is going to have some collateral challenges. You guessed it, one of those is security. I spent some times thinking about how I would approach this problem and the answer is pretty much – do the simple well. I would write more on that subject, but I am done for the week!