the bash vulnerability practical tips to secure your environment
DESCRIPTION
A recently discovered hole in the security of the Bourne-Again Shell (bash) has the majority of Unix/Linux (including OS X) admins sweating bullets. You should be, too - attackers are actively exploiting the vulnerability on un-patched web servers, network services and daemons that use shell scripts with environment variables (this can include network equipment, industrial devices, etc.). So, what can you do to protect your environment? Join us for a live demo covering: *Insights from Jaime Blasco, Director of AlienVault Labs on how attackers are exploiting this vulnerability *Practical tips to minimize your exposure to attack *How AlienVault USM can detect the bash vulnerability, and alert you of active attacksTRANSCRIPT
@AlienVault
About AlienVault
AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against
today’s modern threats
@AlienVault
What is the bash vulnerability?
Practical tips to minimize your exposure to attack
Insights on how attackers are exploiting this vulnerability
(with Jaime Blasco, AlienVault Labs Director)
How AlienVault USM can detect the bash vulnerability,
and alert you of active attacks (Demo with victor Obando,
systems engineer)
Agenda
@AlienVault
Allows an attacker to inject malicious code inline with a shell command
following the definition of an environmental variable
What Is The Bash Vulnerability?
Prior to fixing this vulnerability, variables starting with “() { :; };” were treated
as executable commands rather than text strings.
In the case of a http header (something an attacker controls), this
vulnerability can be used to compromise the variable definition in the web
server itself
HTTP_USER_AGENT=() { :; }; /bin/eject
curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/
@AlienVault
Do you have externally facing *nix (Unix, Linux, Mac OS,
etc) servers that utilize the bash shell?
Do you have web applications making calls to the bash shell
on these servers with elevated privileges?
Have you neglected to apply your OS vendor’s patch that
addresses this vulnerability?
Am I Vulnerable?
If the answer is YES to any of the questions above, you could
be vulnerable…
@AlienVault
Devices with embedded Linux could potentially be running
unpatched bash that is either not supported (patch will not be
released) or near impossible to upgrade.
• Routers
• Switches
• Firewalls
• Other Network Appliances
Non-Server Vulnerabilities
@AlienVault
In the bash shell, enter the following command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
How To Test If You Are Vulnerable
@AlienVault
If Your Test Returns This…
…Then You’re Not Vulnerable
@AlienVault
However, If You See This…
…Then You Might Be In Trouble
@AlienVault
Patch your servers
• Really, this is the easiest, most effective, and the only real way to “fix” this
vulnerability
• Supported Ubuntu/Debian (apt-get)
- sudo apt-get update && sudo apt-get install --only-upgrade bash
• Supported CentOS / RedHat / Fedora
- sudo yum update bash
• Apple OS X
- Patch update available from the Apple support site.
• For unsupported operating systems, you will have to update to a supported
version first, then apply the patch.
How Do I Defend Myself?
@AlienVault
Sanitize your web application’s inputs
• Related to defense against Cross-Site Scripting and SQL
injection attacks, make sure that inputs are validated and
sanitized.
Disable any calls to bash under elevated privileges
• Obviously disable any CGIs that make call to the shell
Use another shell??
• Probably not the best idea, especially since commands in bash
may not translate to other shells
How Do I Defend Myself?
@AlienVault
Attackers are exploiting the vulnerability
using the following protocols:
Attack Vectors
- HTTP Headers
- DHCP
- SIP
- Mail (Ex: Qmail, Postfix)
- OpenVPN
- FTP (Ex: Pure-FTPd)
- DNS
@AlienVault
Once the attackers find a way to exploit the vulnerability
they download and execute a payload, example:
Post exploitation
- The malware is a Linux ELF executable that makes the infected system join a
bonet. It has the following capabilities:
- PING
- GETLOCALIP
- SCANNER
- HOLD
- JUNK (DoS Flood)
- UDP (DoS Flood)
- TCP (DoS Flood)
- KILLATTK
@AlienVault
Malicious Sources added to OTX
Threat intelligence
• Multiple IDS Signatures Including:
Spotting Shellshock in USM
2019231 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI
2019232 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers
2019233 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in ClientBody
2019234 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2
2019236 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number
2019237 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 15
2019238 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67
Correlation Directives to Detect and Alarm:
Exploitation & Installation, Service Exploit, Bash - CVE-2014-6271
Reconnaissance & Probing, Service Exploit, Bash - CVE-2014-6271
@AlienVault
Asset Discovery• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software
Inventory
Vulnerability Assessment• Network Vulnerability Testing
• Remediation Verification
Threat Detection• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
Behavioral Monitoring• Log Collection
• Netflow Analysis
• Service Availability Monitoring
Security Intelligence• SIEM Event Correlation
• Incident Response
@AlienVault
DEMO TIME!
More Questions?
Email [email protected]
NOW FOR SOME Q&A…
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Product Sandbox
http://www.alienvault.com/live-demo-site