Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matthew_Mollenhauer
New Contributor III

Created on ‎09-24-2014 03:39 PM

If you use BASH shell environment

Just an FYI, https://access.redhat.com/security/cve/CVE-2014-6271, I wouldn' t say it' s as bad as heartbleed but it' s definitely not good. Regards, Matthew
20895
0 Kudos
22 REPLIES 22
teedub
New Contributor
In response to Matthew_Mollenhauer

Created on ‎09-26-2014 03:36 AM

Hi Selective, thanks for the additional sig' s, can you provide an explanation or sources for what they are looking for int he client side traffic? Tom
3666
0 Kudos
Carl_Wallmark
Valued Contributor

Created on ‎09-25-2014 11:09 PM

I get alot of hits on the Bash exploit, I am also saving the packets. Some are just testing but others are trying to download external files to the servers. The race is on! ;)

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
3666
0 Kudos
teedub
New Contributor

Created on ‎09-26-2014 04:31 AM

Page: Reply to Message All Forums >>FortiGate / FortiOS UTM features >>Intrusion Detection & Prevention >>
Also Matthew, I would say this will be worse than Heartbleed. Heartbleed was easy to patch, and affected fewer versions. its not going to be easy to track down every device on every network and update it, particularly embedded devices which will need firmware updates, and it affects so many versions!
3666
0 Kudos
Carl_Wallmark
Valued Contributor

Created on ‎09-26-2014 05:17 AM

Hi Tom,
thanks for the additional sig' s, can you provide an explanation or sources for what they are looking for int he client side traffic?
I guess the " pattern" is the same for the signtaures above mine, it´s only in hex. I got these from Fortinet when asking for them, they released them the same night.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
3666
0 Kudos
teedub
New Contributor
In response to Carl_Wallmark

Created on ‎09-26-2014 06:25 AM

Ah ok, I understand. I have both on my firewalls now, and the new IPS database, my rules are the ones seeing hits. One of my hits is shodan.io, so they seem to be effective! I will review the ruel hits and packet logs after the weekend and see what is revealed.
3666
0 Kudos
jtfinley
Contributor
In response to teedub

Created on ‎09-26-2014 08:51 AM

One of my hits is shodan.io, so they seem to be effective!
I too, am getting hit from that domain. About every 15-20 minutes.
3644
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎09-26-2014 07:16 AM

IMO you should be aware that in Selective' s patterns not only the curly braces are matched but a trailing blank also. I' m not sure why this would be needed but it might match less often with 4 chars than with 3 chars as in teedub' s patterns. decoded: \x28=" (" \x29=" )" \x20=" " \x7b=" {" -- " () {" \x20=" " -- " () { "
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3644
0 Kudos
FortiAdam
Contributor II

Created on ‎09-29-2014 07:03 AM

I had a couple firewalls that received the 5.552 IPS update but I still couldn' t find the Bash signature on them. The fix was to manually download the update from the support portal and upload it to the firewall.
3644
0 Kudos
jtfinley
Contributor
In response to FortiAdam

Created on ‎09-29-2014 07:20 AM

I had a couple firewalls that received the 5.552 IPS update but I still couldn' t find the Bash signature on them
Same here; however, if I manually upload the pkg file it states Error: Firewall has all the updates found in the given file.
3644
0 Kudos
teedub
New Contributor

Created on ‎10-01-2014 04:24 AM

@jtfinley You know what Shodan is right? If not check it out, its cool as. It scans hosts for running services and vulnerabilities, and then lets you search on public IP' s for them. Its expected to receive scans from this domain. I didn' t have any issue with the fortiguard signatures, all the firewalls I have that are set to autoudate had the sig, but I manually updated any that hadn' t updated to 5.552 using downloaded ones from support.fortinet.com, and they were fine. I did create custom rules in my sensors to drop traffic matching these sigs, as the built rule default action is alert. Might want to be aware of that! Also, fireeye have a good article on exploits in the wild:- http://www.fireeye.com/blog/uncategorized/2014/09/shellshock-in-the-wild.html
3644
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.