If you use BASH shell environment

Matthew_Mollenhauer · ‎09-24-2014

Just an FYI, https://access.redhat.com/security/cve/CVE-2014-6271, I wouldn' t say it' s as bad as heartbleed but it' s definitely not good. Regards, Matthew

Dave_Hall · ‎09-24-2014

Link fixed.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

sandy2810 · ‎09-24-2014

So do we have a Fortigate IPS signature to block any exploit attempts?

emnoc · ‎09-24-2014

Interesting CVE postings. This is shell related issues, so I don' t know how you could write a IPS sign to protect against this. A shell script could be craft and execute later or via a at/cron time. So both CVE listed doesn' t give any fix suggestions.

PCNSE

NSE

StrongSwan

Christopher_McMullan · ‎09-25-2014

There is an IPS signature in the works that should be released in a couple days. It' s in the QA stage now, to ensure we don' t cause any false positives. In the meantime, there is a custom signature that can be applied, but I am not going to post it here, for consistency' s sake. If a signature is needed right away, please open a ticket with TAC and request the custom signature from ticket no. 1220079. This way, we can provide it in a controlled fashion, and monitor any issues. The custom signatures have to be taken as a best-effort hot fix until the real signature is fully tested and pushed out as an IPS database update.

Regards, Chris McMullan Fortinet Ottawa

teedub · ‎09-25-2014

Hi, Nice to know that you guys have created a sig for this. This article describes how to test the exploit, and some current snort sigs. http://www.volexity.com/blog/?p=19 I created my own signatures, which are below, based on the info in the article, and have caught a couple of attacks already, and I' m fairly certain they were nt false positives! config ips custom edit " ShellShock-WebServ-HTTP" set comment " Block attempts to exploit CVE-2014-6271 to server using HTTP" set location server set protocol HTTP set severity critical set action block set signature " F-SBID(--name \" ShellShock-WebServ-HTTP\" ; --pattern \" () {\" ; --flow from_client; --service HTTP; --context header; )" next edit " ShellShock-WebServ-SSL" set comment " Block attempts to exploit CVE-2014-6271 to server using SSL" set location server set protocol SSL set severity critical set action block set signature " F-SBID(--name \" ShellShock-WebServ\" ; --pattern \" () {\" ; --flow from_client; --service SSL; --context header; )" next edit " ShellShock-ClientHTTP" set comment " Block attempts to exploit CVE-2014-6271 to client using HTTP" set location client set protocol HTTP set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientHTTP\" ; --pattern \" () {\" ; --flow from_server,reversed; --service HTTP; --context header; )" next edit " ShellShocked-ClientSSL" set comment " Block attempts to exploit CVE-2014-6271 to client using SSL" set location client set protocol SSL set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_server,reversed; --service SSL; --context header; )" next edit " ShellShocked-SSH" set comment " Block attempts to exploit CVE-2014-6271 to client using SSH" set location client set protocol SSH set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_client; --service SSH; )" next edit " ShellShocked-TELNET" set comment " Block attempts to exploit CVE-2014-6271 to client using SSH" set location client set protocol TELNET set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_client; --service TELNET; )" next edit " ShellShocked-SIP" set comment " Block attempts to exploit CVE-2014-6271 to client using SSH" set location client set protocol SIP set severity critical set action block set signature " F-SBID(--name \" ShellShock-ClientSSL\" ; --pattern \" () {\" ; --flow from_client; --service SIP; )" next end

jtfinley · ‎09-25-2014

teedub - thank you. awesome. Picking up hits already....

Carl_Wallmark · ‎09-25-2014

Three more IPS signatures: F-SBID( --name " Bash.Code.Execution.Custom1" ; --protocol tcp; --service HTTP; --flow from_client; --pattern " |28 29 20 7b 20|" ; --context uri; --pcre " /[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/" ; --context uri ; ) F-SBID( --name " Bash.Code.Execution.Custom2" ; --protocol tcp; --service HTTP; --flow from_client; --pattern " |28 29 20 7b 20|" ; --context header;) F-SBID( --name " Bash.Code.Execution.Custom3" ; --protocol tcp; --service HTTP; --flow from_client; --pattern " |28 29 20 7b 20|" ; --context body; --pcre " /(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/" ; --context body ; )

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

Matthew_Mollenhauer · ‎09-25-2014

Apologies for the bad URL, -1 for checking my own work.... I noticed that the Fortiguard site has info on this exploit and that a sig was to be released in the IPS update 5.551. Our FMG & FGT' s now have this update but I can' t seem to find the signature to enable it. Has anyone else noticed this? http://www.fortiguard.com/advisory/FG-IR-14-030/ Regards, Matthew

netmin · ‎09-26-2014

@Matthew: it was made available in IPS update 5.552

If you use BASH shell environment

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website