BASH – Shellshock

BASH Shellshock has been all over the news lately, and has come to the attention of our security conscious customers (which is pretty much all of them.) There are lots and lots of blogs out there on it, a Wikipedia article and even a dedicated site.

I also listened in on a SANS webinar, but of course none of these are in context of full disk encryption and SecureDoc; thus this blog.

First is SecureDoc vulnerable to BASH – Shellshock attacks?

The answer is no. Below is a little background on Shellshock in the context of SecureDoc and full disk encryption (FDE), and why SecureDoc is not impacted.

Bash is a shell. A shell is a program which allows users to access and manage the computer system via a command line or command line scripts. The shell is the interface between the user and the system. The kernel on the other hand, directly controls and manages the system’s hardware resources, such as the CPU. The system user interfaces with the shell, the shell interfaces with the kernel and the kernel interfaces with the hardware. I think of the shell as the wrapper (i.e. ‘shell’) around the kernel. Bash Shellshock is a Unix / Linux based shell vulnerability, where through clever manipulation of Bash environment variables the attacker can get unauthorized access to system resources.

The SecureDoc Enterprise Server (SES) is Windows, not Linux, based and is not impacted by Bash Shellshock.

On the client side things are more complicated. With FDE, in order to get the full protection that encryption can bring, one must employ pre-boot authentication (PBA) which runs before the host OS (e.g. Windows) is loaded. Even if the client host OS is Windows, the PBA would still have a different operating environment because it boots first. For FDE, the operating environment is usually a simple RTOS (Real Time OS), native UEFI App or Linux. Bash is often the default shell for Linux.   The good news is that BASH Shellshock is exploitable on Linux web servers that run bash cgi-bin. PBA for client systems do not usually bring up web services. In fact, since PBA is dedicated to a predetermined purpose (authentication) there is no need to expose the command line to end users at all. Rather a PBA GUI performs the authentication. SecureDoc PBA doesn’t expose the command line prompt and certainly doesn’t act a web server so it is not BASH – Shellshock exploitable.

Previous Post
Apple’s Privacy Policy
Next Post
Security Measures to Think About

Related Posts

Database Security

Buffer, a social media scheduling service, Buffer, found itself on the receiving end of a data-breach back in October. The culprit behind the breach was the company’s database provider. The breach resulted in the exposure of user account credentials that…

Making the Case for Data Encryption

In August, we released the results of a survey we did with the Ponemon Institute where we examined the Total Cost of Ownership (TCO) for data encryption. To make this information even clearer, we’ve now created a handy, easy to…

WinMagic Certified Secure Validation

Today SanDisk announced their new SSD offering, the X300s – it’s their first drive to feature encryption capabilities. As part of this announcement, WinMagic also announced that SanDisk is the first drive partner we work with to complete the WinMagic…
Read more

Constant Improvement

Late last year we introduced SecureDoc 6.1 and introduced a whole host of new features including MDM, FileVault 2 management capabilities, a Web-based console and more. As with any new release there are kinks that can be worked out and…

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu
Contact Us

This will close in 15 seconds