Breaking the Zero-Day Attack on Linux (the Strutshock Vulnerability and Equifax)
January 29th, 2018
In my November 2017 webinar, we demonstrated an exploitation against the “Strutshock” vulnerability, the avenue used by criminals to compromise Equifax in the summer of 2017. By watching the webinar, you learn how to use Metasploit, running in Kali Linux, to exploit Strutshock against a vulnerable system, like the one that Equifax had running. There’s an intentionally-vulnerable virtual machine that you can download to try your attack and then a defense, hosted at a URL at the end of the webinar.
I’ve been building tools, conducting research and giving talks and training since 1999, focusing around proactive security measures that could protect you from compromise even before you know of a vulnerability in your system. These measures are generally referred to as “security hardening.” Here’s why I’m so focused on hardening – take a look at this diagram, which shows the lifecycle of a vulnerability.
The first-time window above, between t0 and t1, refers to the period during which one or more security researchers have found a vulnerability in a piece of software, but keep its existence to themselves. During this time, an exploit is capable of compromising almost any system running that software, no matter what version, unless the system owner has taken some hardening step. Vulnerabilities in this time window are called “zero day” and exploits against them are often incredibly valuable. Their “owners” may keep them a secret for years
Let’s move to the next point on the graph, t1. t1 may be days, months, or years after t0. At this point, the software’s vendor learns of the vulnerability, whether by independent discovery or from one of the researchers who have discovered it. The software vendor begins working on a “patch,” or software update, which corrects the issue. During this time, the vulnerability’s existence is said to be “under embargo” and the vendor will discuss the issue only with other parties who have a need-to-know, generally other vendors that will also need to distribute the patch.
For example, in the case of a vulnerability in the Mozilla Firefox browser, the primary vendor here is Mozilla. When correcting the code, Mozilla will need to reach out to Red Hat, Canonical (makers of Ubuntu) and many other Linux distribution makers, to ensure those organizations make new binary versions of the software packages they ship. This period can last anywhere between one day and six months, though it seems to average around one month in the Linux ecosystem.
At the end of that roughly one month embargo period, the public learns of the vulnerability when the vendors all release a patch. We’re at t2 in the diagram above, where we all enter a race. We have to download the patch before the rest of the bad actors on the Internet (who never knew about the zero day vulnerability) begin attacking systems with an exploit. If your system wasn’t compromised during the first two time windows, you can win this race if you apply a patch before you’re attacked. As system owners, we’re generally all just playing the odds, hoping we get the patch deployed before an attacker (or automated program) fires an exploit against our system. By the way, once we get the patch deployed, we reach tfinal on the diagram above.
Strutshock wasn’t in its zero-day or embargo period when it was used to hack Equifax. The attackers compromised Equifax in May, two months after the patch’s release in March (t2), but any researcher who found the vulnerability before March could have also compromised Equifax, before a patch was even available.
My message here is this: patch as fast as you can, but realize that you can’t always win the race, because there are two time windows where you are vulnerable (when there is no patch yet). During the first two time windows, your best bet is to proactively harden your systems. My November webinar shows you two methods by which you can do this, using free tools. Check it out here: “Breaking the Zero-Day Attack on Linux”.