As many of you already know, a recently published critical vulnerability in the popular ‘Bash’ shell and scripting language language has been found.
This vulnerability uses specially crafted environment variables to execute arbitrary code and has remained undiscovered since approximately version 1.13 in 1992. This means that many systems including VMs, appliances, and physical devices may be affected.
Common exploitatain vectors include attacks against web servers processing requests via the common gateway interface (CGI), and certain sshd configurations using ‘ForceCommand’ can also be exploited.
Although VMware has not yet shown that the Bash vulnerability can be exploited in any of their appliances, many ship with vulnerable Bash versions. As such, VMware has released a KB article detailing which of their products ship with the vulnerable version of Bash, which will be updated as patches are made available.
Integra recommends that you subscribe to this document in order to be notified when fixes are made available. To do this:
- Navigate to the article at http:/kb.vmware.com/kb/2090740
- In the right-hand menu “Actions”, select “Subscribe to this Document,” which will allow you to follow updates to this document via RSS in your browser.
- Also be sure to sign up for the mailing list for VMware Security Advisories and Security Alerts at http://lists.vmware.com/mailman/listinfo/security-announce. These lists are updated whenever VMware security patches are released.
While we wait for vendor patches, we also note that technologies that are often already deployed in our data centres can be used to mitigate the Bash Shellshock vulnerability – these technologies include Trend Micro (AV) and F5 (load balancing & application delivery).
To block the majority of Shellshock attacks with Trend Micro Deep Security, please see the following:
- Trend Micro’s Smart Protection Network protects users of Deep Security automatically if it has been updated. Deep Security DPI users can also apply the rule “1006256 – GNU Bash Remote code Execution Vulnerability” to prevent the exploit from occurring. For more information on these solutions, please see Trend’s post on their security intelligence blog: http://blog.trendmicro.com/trendlabs-security-intelligence/bash-vulnerability-shellshock-exploit-emerges-in-the-wild-leads-to-flooder/
- Trend Micro has also released free protection for ShellShock – please see the following: http://apac.trendmicro.com/apac/about-us/newsroom/releases/articles/20140928065236.html
To block the majority of Shellshock attacks with an F5 iRule, you can also use the following:
- Shellshock mitigation with BIG-IP iRules: https://devcentral.f5.com/articles/shellshock-mitigation-with-big-ip-irules
Paul Shuparski-Miller, Systems Engineer, Integra Networks,