Sunday, September 28, 2014

Bashing the Big Bad Bash "shellshock"

Updated: 29/9/2014:  Updated video from SANS

How bad is it? Very.

What happened? Check out the SANS's video below:

As of today (28 Sep 2014), current patch is not adequate as it only fixed the first problem (CVE-2014-6271) but not the 2nd one (CVE-2014-7169). Vendors are still struggling to fix  , the second problems (CVE-2014-7169 and 4 other new bugs discovered.

Also, the folks at Fireye have written a very good piece about this with sample of attack vectors and exploits included.  Check out their blog post titled "Shellshock in the wild" 

Now, I'm sure by now you have been asked the one million dollar question by your boss or some senior managers:
Are we vulnerable? Can you quickly find out?
Quick is the keyword. You should first check your exposure from the internet.

But how? Ask google. Look for indication of usage of bash script on your website. For example:

filetype:sh OR filetype:bash

If you see URLs with sh or bash extension, be paranoid. Check those first and disable them. Replace the script with something else e.g. Perl or Python.

Next, you may want to add a custom signature to your NIPS to detect/stop any potential exploits. Here is a quick snort signature signature (taken from Volecity's website)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash Vulnerability Requested (header) “; flow:established,to_server; content:”() {“; http_header;  threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)

Or grab the official snort rules from snort's website here

Information security folks: If you play this game well, it could be another good business case for you to push for those legacy systems to be updated/upgraded!

No comments:

Post a Comment