Updated: 29/9/2014: Updated video from SANS
How bad is it? Very.
What happened? Check out the SANS's video below:
As of today (28 Sep 2014), current patch
Also, the folks at Fireye have written a very good piece about this with sample of attack vectors and exploits included. Check out their blog post titled "Shellshock in the wild"
Now, I'm sure by now you have been asked the one million dollar question by your boss or some senior managers:
Are we vulnerable? Can you quickly find out?
Quick is the keyword. You should first check your exposure from the internet.
But how? Ask google. Look for indication of usage of bash script on your website. For example:
filetype:sh OR filetype:bash site:bashing.badbash.com
If you see URLs with sh or bash extension, be paranoid. Check those first and disable them. Replace the script with something else e.g. Perl or Python.
Next, you may want to add a custom signature to your NIPS to detect/stop any potential exploits. Here is a quick snort signature signature (taken from Volecity's website)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash Vulnerability Requested (header) “; flow:established,to_server; content:”() {“; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)
Or grab the official snort rules from snort's website here.
Information security folks: If you play this game well, it could be another good business case for you to push for those legacy systems to be updated/upgraded!
No comments:
Post a Comment