SlideShare ist ein Scribd-Unternehmen logo

Shellshock & Poodle Attacks, fix

Als PPTX, PDF herunterladen
Sasidhar Gogulapati
Sasidhar Gogulapati

About shell shock vulnerability and poodle attack. how to fix these vulnerabilities

Ingenieurwesen
1 von 10
Shell shock & Poodle Vulnerabilities, Fix -Sasidhar Gogulapati
Shellshock is a security bug in Bash command-line interpreter(CLI) Revealed by Linux expert Stephane Chazelas on 24th September, 2014. It’s a 10 years old bug !! Allows attackers to gain unauthorized access to systems by executing arbitrary commands High impact on Linux and Mac OS, where Bash is the default CLI Shell Shock Vulnerability
 Found under Bash’s parsing code which unintentionally executes commands when concatenated, to the end of function definitions that are stored in the values of environment variables. Where the bug occurs ?
HTTP Servers: Servers that run on CGI have the capability to expose Bash to a HTTP request, hence a malicious HTTP request can inject arbitrary commands onto the server with Bash invoking it to execute them SSH: Bash is capable of overcoming the restriction of user authentication with privileged escalations for accessing the commands How attacker exploiting it ?
Execute the following commands from terminal: If the output contains the word ‘vulnerable’, then system is vulnerable How to test it?
By upgrading to the latest version of Bash “yum update bash” is the command for CentOS and Red Hat Linux How to fix it ?
“Padding Oracle On Downgraded Legacy Encryption” Man-in-the-middle exploit which takes advantage of security software client’s fallback to SSL 3.0 Google security team discovered this on October 14, 2014 If attackers successful exploit, they need only 256 SSL 3.0 requests to reveal one byte of encrypted message Poodle Attack
Poodle can be used to target browser based communication that relies on SSL 3.0 (Secure Sockets Layer) for encryption and authentication This allows attacker to paddle data at the end of block cipher, so that the encryption cipher became less secured Poodle can force the browser to use SSL 3.0 Where the bug occurs ?
Disable SSL 3.0 on all protocols Enable TLS(Transport Layer Security) 1.0 Prevent TLS 1.0 downgrade attacks by ensuring both client and server supports only TLS How to fix it?
Thank You

Empfohlen

Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)webhostingguy
 
PHP {in}security
PHP {in}securityPHP {in}security
PHP {in}securityMichael Clark
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Cent os 5 ssh
Cent os 5 sshCent os 5 ssh
Cent os 5 sshAlejandro Besne
 
10 Steps to Secure Wordpress Sites
10 Steps to Secure Wordpress Sites10 Steps to Secure Wordpress Sites
10 Steps to Secure Wordpress SitesAapna Infotech
 
Secure your Cpanel in 9 advanced tips
Secure your Cpanel in 9 advanced tipsSecure your Cpanel in 9 advanced tips
Secure your Cpanel in 9 advanced tipsTera Mny
 

Empfohlen

Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)webhostingguy
 
PHP {in}security
PHP {in}securityPHP {in}security
PHP {in}securityMichael Clark
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Cent os 5 ssh
Cent os 5 sshCent os 5 ssh
Cent os 5 sshAlejandro Besne
 
10 Steps to Secure Wordpress Sites
10 Steps to Secure Wordpress Sites10 Steps to Secure Wordpress Sites
10 Steps to Secure Wordpress SitesAapna Infotech
 
Secure your Cpanel in 9 advanced tips
Secure your Cpanel in 9 advanced tipsSecure your Cpanel in 9 advanced tips
Secure your Cpanel in 9 advanced tipsTera Mny
 
Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...webhostingguy
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection PaperAung Khant
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoningAlexandraLacatus
 
Http response splitting
Http response splittingHttp response splitting
Http response splittingSharath Unni
 
Pentesting Cloud Environment
Pentesting Cloud EnvironmentPentesting Cloud Environment
Pentesting Cloud EnvironmentVengatesh Nagarajan
 
Distributed cache service
Distributed cache serviceDistributed cache service
Distributed cache serviceprajeeshprathap
 
Random numbers
Random numbersRandom numbers
Random numbersPositive Hack Days
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securityn|u - The Open Security Community
 
What's New In WordPress 3.0
What's New In WordPress 3.0What's New In WordPress 3.0
What's New In WordPress 3.0Thom Allen
 
Browsers
BrowsersBrowsers
BrowsersRaul Moreno
 
IdM and AC
IdM and ACIdM and AC
IdM and ACFernando Lopez Aguilar
 
Poodle
PoodlePoodle
PoodleMukesh Chaudhari
 
Poodles!!!
Poodles!!!Poodles!!!
Poodles!!!animallover1
 
The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed AttackShreyas Kothari
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open micRahul Kumar
 
Poodle
PoodlePoodle
PoodleShreyas Kothari
 
SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLEJerome Smith
 
SSL overview
SSL overviewSSL overview
SSL overviewTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacksn|u - The Open Security Community
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfYurii Bilyk
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Cipher techniques
Cipher techniquesCipher techniques
Cipher techniquesMohd Arif
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...webhostingguy
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection PaperAung Khant
 
Http response splitting
Http response splittingHttp response splitting
Http response splittingSharath Unni
 
Distributed cache service
Distributed cache serviceDistributed cache service
Distributed cache serviceprajeeshprathap
 
What's New In WordPress 3.0
What's New In WordPress 3.0What's New In WordPress 3.0
What's New In WordPress 3.0Thom Allen
 

Was ist angesagt? (11)

Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...Web Security Introduction Webserver hacking refers to ...
Web Security Introduction Webserver hacking refers to ...
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection Paper
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoning
 
Http response splitting
Http response splittingHttp response splitting
Http response splitting
 
Pentesting Cloud Environment
Pentesting Cloud EnvironmentPentesting Cloud Environment
Pentesting Cloud Environment
 
Distributed cache service
Distributed cache serviceDistributed cache service
Distributed cache service
 
Random numbers
Random numbersRandom numbers
Random numbers
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
What's New In WordPress 3.0
What's New In WordPress 3.0What's New In WordPress 3.0
What's New In WordPress 3.0
 
Browsers
BrowsersBrowsers
Browsers
 
IdM and AC
IdM and ACIdM and AC
IdM and AC
 

Andere mochten auch

Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open micRahul Kumar
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfYurii Bilyk
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Cipher techniques
Cipher techniquesCipher techniques
Cipher techniquesMohd Arif
 
Quick Look - Employee Management, Task and Timesheet
Quick Look - Employee Management, Task and TimesheetQuick Look - Employee Management, Task and Timesheet
Quick Look - Employee Management, Task and TimesheetPoodle
 
ShellShock (Software BASH Bug)
ShellShock (Software BASH Bug)ShellShock (Software BASH Bug)
ShellShock (Software BASH Bug)ViSolve, Inc.
 
Heartbleed Explained
Heartbleed ExplainedHeartbleed Explained
Heartbleed ExplainedMike Chapple
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registryaradhanalaw
 

Andere mochten auch (20)

Poodle
PoodlePoodle
Poodle
 
Poodles!!!
Poodles!!!Poodles!!!
Poodles!!!
 
The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed Attack
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open mic
 
Poodle
PoodlePoodle
Poodle
 
SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLE
 
SSL overview
SSL overviewSSL overview
SSL overview
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacks
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itself
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
Cipher techniques
Cipher techniquesCipher techniques
Cipher techniques
 
Final_Presentation
Final_PresentationFinal_Presentation
Final_Presentation
 
Quick Look - Employee Management, Task and Timesheet
Quick Look - Employee Management, Task and TimesheetQuick Look - Employee Management, Task and Timesheet
Quick Look - Employee Management, Task and Timesheet
 
nullcon 2011 - SSLSmart – Smart SSL Cipher Enumeration
nullcon 2011 - SSLSmart – Smart SSL Cipher Enumerationnullcon 2011 - SSLSmart – Smart SSL Cipher Enumeration
nullcon 2011 - SSLSmart – Smart SSL Cipher Enumeration
 
ShellShock (Software BASH Bug)
ShellShock (Software BASH Bug)ShellShock (Software BASH Bug)
ShellShock (Software BASH Bug)
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Heartbleed Explained
Heartbleed ExplainedHeartbleed Explained
Heartbleed Explained
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Chapter 8 v6.0
Chapter 8 v6.0Chapter 8 v6.0
Chapter 8 v6.0
 

Ähnlich wie Shellshock & Poodle Attacks, fix

document.pptx
document.pptxdocument.pptx
document.pptxjosephLak
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bugvwchu
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewallamiable_indian
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
Ssh
SshSsh
Sshgh02
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Discuss what is SSH and the advantages and disadvantages of using it.pdf
Discuss what is SSH and the advantages and disadvantages of using it.pdfDiscuss what is SSH and the advantages and disadvantages of using it.pdf
Discuss what is SSH and the advantages and disadvantages of using it.pdfinfo309708
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0maaz khan
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 

Ähnlich wie Shellshock & Poodle Attacks, fix (20)

Windowshadoop
WindowshadoopWindowshadoop
Windowshadoop
 
document.pptx
document.pptxdocument.pptx
document.pptx
 
Ssh
SshSsh
Ssh
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bug
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
Hafnium attack
Hafnium attackHafnium attack
Hafnium attack
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
Ssh
SshSsh
Ssh
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Discuss what is SSH and the advantages and disadvantages of using it.pdf
Discuss what is SSH and the advantages and disadvantages of using it.pdfDiscuss what is SSH and the advantages and disadvantages of using it.pdf
Discuss what is SSH and the advantages and disadvantages of using it.pdf
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0
 
Server hardening
Server hardeningServer hardening
Server hardening
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Prevent hacking
Prevent hackingPrevent hacking
Prevent hacking
 
Commix
Commix Commix
Commix
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 

Kürzlich hochgeladen

Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...drmkjayanthikannan
 
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxOrlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxMuhammadAsimMuhammad6
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiessarkmank1
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"mphochane1998
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxchumtiyababu
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilVinayVitekari
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesChandrakantDivate1
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxSCMS School of Architecture
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...Amil baba
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptNANDHAKUMARA10
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayEpec Engineered Technologies
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.Kamal Acharya
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxJuliansyahHarahap1
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdfKamal Acharya
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 

Kürzlich hochgeladen (20)

Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
 
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxOrlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
 
Verification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptxVerification of thevenin's theorem for BEEE Lab (1).pptx
Verification of thevenin's theorem for BEEE Lab (1).pptx
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech Civil
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
NO1 Top No1 Amil Baba In Azad Kashmir, Kashmir Black Magic Specialist Expert ...
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 

Shellshock & Poodle Attacks, fix

  • 1. Shell shock & Poodle Vulnerabilities, Fix -Sasidhar Gogulapati
  • 2. Shellshock is a security bug in Bash command-line interpreter(CLI) Revealed by Linux expert Stephane Chazelas on 24th September, 2014. It’s a 10 years old bug !! Allows attackers to gain unauthorized access to systems by executing arbitrary commands High impact on Linux and Mac OS, where Bash is the default CLI Shell Shock Vulnerability
  • 3.  Found under Bash’s parsing code which unintentionally executes commands when concatenated, to the end of function definitions that are stored in the values of environment variables. Where the bug occurs ?
  • 4. HTTP Servers: Servers that run on CGI have the capability to expose Bash to a HTTP request, hence a malicious HTTP request can inject arbitrary commands onto the server with Bash invoking it to execute them SSH: Bash is capable of overcoming the restriction of user authentication with privileged escalations for accessing the commands How attacker exploiting it ?
  • 5. Execute the following commands from terminal: If the output contains the word ‘vulnerable’, then system is vulnerable How to test it?
  • 6. By upgrading to the latest version of Bash “yum update bash” is the command for CentOS and Red Hat Linux How to fix it ?
  • 7. “Padding Oracle On Downgraded Legacy Encryption” Man-in-the-middle exploit which takes advantage of security software client’s fallback to SSL 3.0 Google security team discovered this on October 14, 2014 If attackers successful exploit, they need only 256 SSL 3.0 requests to reveal one byte of encrypted message Poodle Attack
  • 8. Poodle can be used to target browser based communication that relies on SSL 3.0 (Secure Sockets Layer) for encryption and authentication This allows attacker to paddle data at the end of block cipher, so that the encryption cipher became less secured Poodle can force the browser to use SSL 3.0 Where the bug occurs ?
  • 9. Disable SSL 3.0 on all protocols Enable TLS(Transport Layer Security) 1.0 Prevent TLS 1.0 downgrade attacks by ensuring both client and server supports only TLS How to fix it?