New Member

Question

If you use BASH shell environment

Forum|Forum|11 years ago
September 24, 2014
13 replies
24760 views

Just an FYI, https://access.redhat.com/security/cve/CVE-2014-6271, I wouldn' t say it' s as bad as heartbleed but it' s definitely not good. Regards, Matthew

Dave_Hall

New Member

Link fixed.

sandy2810

New Member

So do we have a Fortigate IPS signature to block any exploit attempts?

emnoc

New Member

Interesting CVE postings. This is shell related issues, so I don' t know how you could write a IPS sign to protect against this. A shell script could be craft and execute later or via a at/cron time. So both CVE listed doesn' t give any fix suggestions.

Christopher_McMullan

Staff

There is an IPS signature in the works that should be released in a couple days. It' s in the QA stage now, to ensure we don' t cause any false positives. In the meantime, there is a custom signature that can be applied, but I am not going to post it here, for consistency' s sake. If a signature is needed right away, please open a ticket with TAC and request the custom signature from ticket no. 1220079. This way, we can provide it in a controlled fashion, and monitor any issues. The custom signatures have to be taken as a best-effort hot fix until the real signature is fully tested and pushed out as an IPS database update.

teedub

New Member

Hi, Nice to know that you guys have created a sig for this. This article describes how to test the exploit, and some current snort sigs. http://www.volexity.com/blog/?p=19 I created my own signatures, which are below, based on the info in the article, and have caught a couple of attacks already, and I' m fairly certain they were nt false positives! config ips custom edit " ShellShock-WebServ-HTTP" set comment " Block attempts to exploit CVE-2014-6271 to server using HTTP" set location server set protocol HTTP set severity critical set action block set signature " F-SBID(--name \" ShellShock-WebServ-HTTP\" ; --pattern \" () {\" ; --flow from_client; --service HTTP; --context header; )" next edit " ShellShock-WebServ-SSL" set comment " Block attempts to exploit CVE-2014-6271 to server using SSL" set location server set protocol SSL set severity critical set action block set signature " F-SBID(--name \" ShellShock-WebServ\" ; --pattern \" () {\" ; --flow from_client; --service SSL; --context header; )" next edit " ShellShock-ClientHTTP" set comment " Block attempts to exploit CVE-2014-6271 to client using HTTP" set location client set protocol HTTP set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientHTTP\" ; --pattern \" () {\" ; --flow from_server,reversed; --service HTTP; --context header; )" next edit " ShellShocked-ClientSSL" set comment " Block attempts to exploit CVE-2014-6271 to client using SSL" set location client set protocol SSL set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_server,reversed; --service SSL; --context header; )" next edit " ShellShocked-SSH" set comment " Block attempts to exploit CVE-2014-6271 to client using SSH" set location client set protocol SSH set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_client; --service SSH; )" next edit " ShellShocked-TELNET" set comment " Block attempts to exploit CVE-2014-6271 to client using SSH" set location client set protocol TELNET set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_client; --service TELNET; )" next edit " ShellShocked-SIP" set comment " Block attempts to exploit CVE-2014-6271 to client using SSH" set location client set protocol SIP set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_client; --service SIP; )" next end

jtfinley

New Member

teedub - thank you. awesome. Picking up hits already....

Carl_Wallmark

New Member

Three more IPS signatures: F-SBID( --name " Bash.Code.Execution.Custom1" ; --protocol tcp; --service HTTP; --flow from_client; --pattern " |28 29 20 7b 20|" ; --context uri; --pcre " /[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/" ; --context uri ; ) F-SBID( --name " Bash.Code.Execution.Custom2" ; --protocol tcp; --service HTTP; --flow from_client; --pattern " |28 29 20 7b 20|" ; --context header;) F-SBID( --name " Bash.Code.Execution.Custom3" ; --protocol tcp; --service HTTP; --flow from_client; --pattern " |28 29 20 7b 20|" ; --context body; --pcre " /(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/" ; --context body ; )

Matthew_MollenhauerAuthor

New Member

Apologies for the bad URL, -1 for checking my own work.... I noticed that the Fortiguard site has info on this exploit and that a sig was to be released in the IPS update 5.551. Our FMG & FGT' s now have this update but I can' t seem to find the signature to enable it. Has anyone else noticed this? http://www.fortiguard.com/advisory/FG-IR-14-030/ Regards, Matthew

netmin

New Member

@Matthew: it was made available in IPS update 5.552

Carl_Wallmark

New Member

I get alot of hits on the Bash exploit, I am also saving the packets. Some are just testing but others are trying to download external files to the servers. The race is on! ;)

teedub

New Member

Page: Reply to Message All Forums >>FortiGate / FortiOS UTM features >>Intrusion Detection & Prevention >>

Also Matthew, I would say this will be worse than Heartbleed. Heartbleed was easy to patch, and affected fewer versions. its not going to be easy to track down every device on every network and update it, particularly embedded devices which will need firmware updates, and it affects so many versions!

Carl_Wallmark

New Member

Hi Tom,

thanks for the additional sig' s, can you provide an explanation or sources for what they are looking for int he client side traffic?

I guess the " pattern" is the same for the signtaures above mine, itÂ´s only in hex. I got these from Fortinet when asking for them, they released them the same night.

teedub

New Member

Ah ok, I understand. I have both on my firewalls now, and the new IPS database, my rules are the ones seeing hits. One of my hits is shodan.io, so they seem to be effective! I will review the ruel hits and packet logs after the weekend and see what is revealed.

jtfinley

New Member

One of my hits is shodan.io, so they seem to be effective!

I too, am getting hit from that domain. About every 15-20 minutes.

ede_pfau

SuperUser

IMO you should be aware that in Selective' s patterns not only the curly braces are matched but a trailing blank also. I' m not sure why this would be needed but it might match less often with 4 chars than with 3 chars as in teedub' s patterns. decoded: \x28=" (" \x29=" )" \x20=" " \x7b=" {" -- " () {" \x20=" " -- " () { "

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded