2013 has been a tough year already for security vulnerabilities with two high-profile web application development frameworks hit by remote code execution attacks.
On January 8, a remote code execution vulnerability in the Ruby on Rails framework was posted. Last week, a vulnerability was posted for the Java-based Spring Framework. The Spring Framework issue is less severe than the Ruby on Rails exploit because it is not present in the current (3.1) release of Spring. However, it does impact the previous versions of Spring, which are still used by many projects.
As attacks go, remote code execution is one of the worst type of attacks; it allows for malicious users to potentially take over your server. Impacts of the hack could include the theft of customer data (including credit cards) and the use of your server for malicious purposes.
Further increasing the impact of the vulnerability, the Ruby on Rails hack was "weaponized" by integrating it into the Metasploit vulnerability scanner. Metasploit provides a simple point and click interface for finding and potentially exploiting vulnerable systems.
If you're not using Java or Ruby, it's tempting to ignore these types of reports and carry on. This is the digital equivalent of whistling past the graveyard. However, if you are managing systems that are connected to the Internet (regardless of technology), you must have an approach in place to ensure these issues are caught and resolved as quickly as possible.
What can you do?
- Educate yourself. Keep on top of security vulnerabilities. The National Vulnerability Database is the canonical source of all software vulnerabilities.
- Have a maintenance plan. Make sure you have the budget and staff to keep the servers up to date in case a vulnerability comes out. If a 0-day hack came out tomorrow, who will fix it.
- Audit your network. Still have an ancient copy of Redmine you were evaluating running on a server? Time to shut it down or upgrade it.
- Minimize the impact. If your server was compromised, what is the impact? By hardening the server, you can reduce the impact of security breaches by minimizing the capabilities of a compromised system.
- Use automated security scanners. Metasploit is just as useful for IT admins as for malicious hackers or drive-by bots when it comes to finding vulnerable systems on your network.
- Move to the cloud. Rather than hosting the service yourself, offload the headaches to someone else. When evaluating providers, make sure they have a security plan in place and review it.
Bottom line: No technology stack is perfect, all will have security vulnerabilities sooner or later. However, with the right plans in place, you can sleep a little easier.
- The Code Climate Blog has an excellent writeup on the Ruby on Rails vulnerability and how to address it.
- The National Vulnerability Database is the canonical source of all software vulnerabilities. The Common Vulnerability and Exposure (CVE) search engine is a good place to search.
- To harden Windows servers, the Security Configuration Wizard (SCW) to help with the process. This ServerFault question has some great answers for security LAMP servers.