Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matthew_Mollenhauer
New Contributor III

If you use BASH shell environment

Just an FYI, https://access.redhat.com/security/cve/CVE-2014-6271, I wouldn' t say it' s as bad as heartbleed but it' s definitely not good. Regards, Matthew
22 REPLIES 22
Dave_Hall
Honored Contributor

Link fixed.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
sandy2810
New Contributor

So do we have a Fortigate IPS signature to block any exploit attempts?
emnoc
Esteemed Contributor III

Interesting CVE postings. This is shell related issues, so I don' t know how you could write a IPS sign to protect against this. A shell script could be craft and execute later or via a at/cron time. So both CVE listed doesn' t give any fix suggestions.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Christopher_McMullan

There is an IPS signature in the works that should be released in a couple days. It' s in the QA stage now, to ensure we don' t cause any false positives. In the meantime, there is a custom signature that can be applied, but I am not going to post it here, for consistency' s sake. If a signature is needed right away, please open a ticket with TAC and request the custom signature from ticket no. 1220079. This way, we can provide it in a controlled fashion, and monitor any issues. The custom signatures have to be taken as a best-effort hot fix until the real signature is fully tested and pushed out as an IPS database update.

Regards, Chris McMullan Fortinet Ottawa

teedub

Hi, Nice to know that you guys have created a sig for this. This article describes how to test the exploit, and some current snort sigs. http://www.volexity.com/blog/?p=19 I created my own signatures, which are below, based on the info in the article, and have caught a couple of attacks already, and I' m fairly certain they were nt false positives! config ips custom edit " ShellShock-WebServ-HTTP" set comment " Block attempts to exploit CVE-2014-6271 to server using HTTP" set location server set protocol HTTP set severity critical set action block set signature " F-SBID(--name \" ShellShock-WebServ-HTTP\" ; --pattern \" () {\" ; --flow from_client; --service HTTP; --context header; )" next edit " ShellShock-WebServ-SSL" set comment " Block attempts to exploit CVE-2014-6271 to server using SSL" set location server set protocol SSL set severity critical set action block set signature " F-SBID(--name \" ShellShock-WebServ\" ; --pattern \" () {\" ; --flow from_client; --service SSL; --context header; )" next edit " ShellShock-ClientHTTP" set comment " Block attempts to exploit CVE-2014-6271 to client using HTTP" set location client set protocol HTTP set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientHTTP\" ; --pattern \" () {\" ; --flow from_server,reversed; --service HTTP; --context header; )" next edit " ShellShocked-ClientSSL" set comment " Block attempts to exploit CVE-2014-6271 to client using SSL" set location client set protocol SSL set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_server,reversed; --service SSL; --context header; )" next edit " ShellShocked-SSH" set comment " Block attempts to exploit CVE-2014-6271 to client using SSH" set location client set protocol SSH set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_client; --service SSH; )" next edit " ShellShocked-TELNET" set comment " Block attempts to exploit CVE-2014-6271 to client using SSH" set location client set protocol TELNET set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_client; --service TELNET; )" next edit " ShellShocked-SIP" set comment " Block attempts to exploit CVE-2014-6271 to client using SSH" set location client set protocol SIP set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_client; --service SIP; )" next end
jtfinley
Contributor

teedub - thank you. awesome. Picking up hits already....
Carl_Wallmark
Valued Contributor

Three more IPS signatures: F-SBID( --name " Bash.Code.Execution.Custom1" ; --protocol tcp; --service HTTP; --flow from_client; --pattern " |28 29 20 7b 20|" ; --context uri; --pcre " /[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/" ; --context uri ; ) F-SBID( --name " Bash.Code.Execution.Custom2" ; --protocol tcp; --service HTTP; --flow from_client; --pattern " |28 29 20 7b 20|" ; --context header;) F-SBID( --name " Bash.Code.Execution.Custom3" ; --protocol tcp; --service HTTP; --flow from_client; --pattern " |28 29 20 7b 20|" ; --context body; --pcre " /(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/" ; --context body ; )

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Matthew_Mollenhauer
New Contributor III

Apologies for the bad URL, -1 for checking my own work.... I noticed that the Fortiguard site has info on this exploit and that a sig was to be released in the IPS update 5.551. Our FMG & FGT' s now have this update but I can' t seem to find the signature to enable it. Has anyone else noticed this? http://www.fortiguard.com/advisory/FG-IR-14-030/ Regards, Matthew
netmin

@Matthew: it was made available in IPS update 5.552
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors