Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matthew_Mollenhauer
New Contributor III

If you use BASH shell environment

Just an FYI, https://access.redhat.com/security/cve/CVE-2014-6271, I wouldn' t say it' s as bad as heartbleed but it' s definitely not good. Regards, Matthew
22 REPLIES 22
teedub

Hi Selective, thanks for the additional sig' s, can you provide an explanation or sources for what they are looking for int he client side traffic? Tom
Carl_Wallmark
Valued Contributor

I get alot of hits on the Bash exploit, I am also saving the packets. Some are just testing but others are trying to download external files to the servers. The race is on! ;)

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
teedub
New Contributor

Page: Reply to Message All Forums >>FortiGate / FortiOS UTM features >>Intrusion Detection & Prevention >>
Also Matthew, I would say this will be worse than Heartbleed. Heartbleed was easy to patch, and affected fewer versions. its not going to be easy to track down every device on every network and update it, particularly embedded devices which will need firmware updates, and it affects so many versions!
Carl_Wallmark
Valued Contributor

Hi Tom,
thanks for the additional sig' s, can you provide an explanation or sources for what they are looking for int he client side traffic?
I guess the " pattern" is the same for the signtaures above mine, it´s only in hex. I got these from Fortinet when asking for them, they released them the same night.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
teedub

Ah ok, I understand. I have both on my firewalls now, and the new IPS database, my rules are the ones seeing hits. One of my hits is shodan.io, so they seem to be effective! I will review the ruel hits and packet logs after the weekend and see what is revealed.
jtfinley

One of my hits is shodan.io, so they seem to be effective!
I too, am getting hit from that domain. About every 15-20 minutes.
ede_pfau
SuperUser
SuperUser

IMO you should be aware that in Selective' s patterns not only the curly braces are matched but a trailing blank also. I' m not sure why this would be needed but it might match less often with 4 chars than with 3 chars as in teedub' s patterns. decoded: \x28=" (" \x29=" )" \x20=" " \x7b=" {" -- " () {" \x20=" " -- " () { "
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
FortiAdam
Contributor II

I had a couple firewalls that received the 5.552 IPS update but I still couldn' t find the Bash signature on them. The fix was to manually download the update from the support portal and upload it to the firewall.
jtfinley

I had a couple firewalls that received the 5.552 IPS update but I still couldn' t find the Bash signature on them
Same here; however, if I manually upload the pkg file it states Error: Firewall has all the updates found in the given file.
teedub
New Contributor

@jtfinley You know what Shodan is right? If not check it out, its cool as. It scans hosts for running services and vulnerabilities, and then lets you search on public IP' s for them. Its expected to receive scans from this domain. I didn' t have any issue with the fortiguard signatures, all the firewalls I have that are set to autoudate had the sig, but I manually updated any that hadn' t updated to 5.552 using downloaded ones from support.fortinet.com, and they were fine. I did create custom rules in my sensors to drop traffic matching these sigs, as the built rule default action is alert. Might want to be aware of that! Also, fireeye have a good article on exploits in the wild:- http://www.fireeye.com/blog/uncategorized/2014/09/shellshock-in-the-wild.html
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors