Wednesday, July 20, 2016

Failure to patch known vulns bites again

As you may have heard, the Ubuntu Forums website was hacked recently leading to the compromise of the details of about two million users.  These details apparently do not include passwords (even in hashed form) due to the use of Ubuntu Single Sign On.

The source of the hack?  Another SQL injection from a known vulnerability.  It seems we can't go more than a few weeks without another one of these popping up.  The vulnerability in this case was an out of date (and known vulnerable) vBulletin plugin.  As I mentioned in the Drupal post last week, when your public facing content management system pushes a patch, you have to be ready to respond, even if this means taking a short unscheduled outage window.  Otherwise, you leave yourself open to hack. 

As I discuss in the SANS Cyber Threat Intelligence course, Threats occur at the intersection of Capability, Intent, and Opportunity.  Your attacker has the intent and the moment the patch came out, advanced attackers started working on the capability.  You alone control the opportunity by either patching or not.  We've worked with customers at Rendition Infosec who have had public facing web applications attacked within 24 hours of the release of a patch, long before Metasploit had an exploit for the vulnerability.  The attacker's actions on objectives lead us to conclude that most of these were targeted attacks. The attacker knew who they were compromising, had performed the recon previously, and were waiting for a vulnerability in the potential victim's infrastructure.

Ubuntu Lessons Learned

Separation of assets
According to the Canonical CEO in this blog post, Ubuntu was doing a good job of separating their code repositories from the forum servers.  I would expect this in any company the size of Canonical, but frequently we see multi-use servers on client DMZ's and it makes me a little sick every time I see it.
Verdict: +1 Ubuntu

Reset system and database passwords
These probably weren't compromised according to the investigation, but were reset out of an abundance of caution.
Verdict: +1 Ubuntu

Updated vBulletin software to latest patch level
Sorry, you don't get points for patching any more than someone gives you points for brushing your teeth after chewing on an onion.  It's just something you do, not something you get credit for.  And you still lose points for being out of patch compliance in the first place.
Verdict: -2 Ubuntu

Added ModSecurity to mitigate SQL injection attacks
Smaller organizations get points for deploying a web application firewall (WAF) but not so much a company the size of Ubuntu.  We would have expected they would already have a WAF in place, especially the free ModSecurity (which ironically they could sudo apt-get install for basic protection).  A WAF won't fix your patching problems, but will provide some basic protection against SQL injection attacks.  Don't rely on it though, like a seat belt it's only there to help soften the blow.  You can still die in the collision.
Verdict: +2 Ubuntu for deploying the WAF, good defense in depth.  -1 for not already having one deployed.

Broad Announcement
I feel like this story almost slipped under the radar.  I didn't get an email about it.  Then again, Google may have auto-filtered it as spam. Breach notifications are getting to be like Nigerian prince emails they come so often...  When I read the story, I headed over to and didn't see any notification at all on their website.  This is of course bad form.  Even when you think nothing was compromised, you are better off informing your users - on the actual site that was compromised - not a blog on another domain entirely.
Verdict: -1 Ubuntu, just because you don't think it was a big deal doesn't mean you get to pretend it didn't happen.


Learn from Ubuntu's missteps here and you can make sure your customers have a better "breach experience" than Ubuntu's did.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.