CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Trustwave Blog

Shellshock - How Trustwave Has You Covered

Last week the internet blew up with news of an emerging threat called "Shellshock" that has made waves throughout the security community by earning a CVSS score of 10.0, the most severe. As a security practitioner you need to know what Shellshock is, how it works and how to protect your organization from being exploited by it.

The threat level for this vulnerability, also known as GNU Bash CVE-2014-6271 Remote Code Execution Vulnerability, is so high due to the ease by which it can be exploited. In fact, active exploits already are underway. We urge all organizations to do the following:

Identify - Use vulnerability scanners to help determine which systems are vulnerable to known attack vectors.

Patch - Apply all relevant patches from vendors to update Bash, the command-line shell commonly used in Linux, Unix and Mac OS X operating systems.

Protect - Protect systems from attack attempts with security services and technologies, such as web application firewalls.

Trustwave can help protect your organization from attacks attempting to exploit Shellshock. In addition to rules and signatures already built into many of our security services and technologies that protected customers immediately, Trustwave has added new detections and protections-specifically aimed at the Shellshock vulnerability-to a variety of our security offerings.

How Trustwave can help you detect Shellshock:

Trustwave App Scanner (formerly known as Cenzic Hailstorm) includes a new SmartAttack™ detection for the Shellshock remote code execution vulnerability. Update 7.2.230 should have downloaded automatically, but you will need to manually apply the system update. Log on to the web client with your administrator user ID, then go to: Administration » Server settings » System update, and click on "Apply System Update." Once the system restarts, detection is active via Web Server Vulnerabilities SmartAttack.

Trustwave Vulnerability Management (including both internal and external vulnerability scanning) can help detect remotely exploitable instances of the Shellshock vulnerability via the CGI vector when you perform scans using the latest update (see: TrustKeeper Scan Engine Update - September 29, 2014). No action is required to receive this update, as it is applied automatically. Additional support for other attack vectors is planned. For customers looking to see if this vulnerability is present in a scan report, it will be listed as "GNU Bash Shellshock Remote Code Execution Vulnerability."

Trustwave Intrusion Detection features new signatures to help detect the most common types of activity associated with exploiting this vulnerability.

Trustwave SIEM features a new update package ['NU-bash_shellshock_list_update'] customers can download that will install the dynamic list "ShellShock Bash Vulnerability Signature Events," which contains event ID's matching ShellShock signatures from various intrusion detection and intrusion prevention devices. The list can be used in conjunction with event explorer searches, reports and notifications to help identify ShellShock events. This update is available for SIEM LME 1.2.1. SIEM Enterprise/SIEM LME 2.x support is coming shortly, and SIEM OE is available upon request. We plan to release new versions of the update package, which will be available in the TrustKeeper portal or from Trustwave support, as additional signatures are released.

How Trustwave can help you block Shellshock:

Trustwave Web Application Firewall (as well as our Managed Web Application Firewall) already had signatures for "OS Command Injection" attacks to help catch the majority of attack payloads. We've also added a new, specific signature to help detect Shellshock exploit attempts. This signature is part of the 4.33 Rules Update package that should be automatically updated by default if you are running Trustwave Web Application Firewall version 7 or higher. Users running an older version of Trustwave WAF may require some manual updating and can contact Trustwave support for more information.

ModSecurity (open source) Web Application Firewall also provides generic protections for "OS Command Injection" attacks through the free OWASP ModSecurity Core Rule Set (CRS). For those clients who have purchased the Trustwave ModSecurity Commercial Rules feed, we've already updated that with rules to help thwart attempts to exploit this vulnerability.

A final note:

All Trustwave services and products have been tested to determine if they contain the Shellshock vulnerability. Most either do not use or expose the CGI Shell (a common attack vector for this bug is by executing CGI scripts on web servers), have already been patched, or have been tested and it has been determined that the nature of our devices makes exploit unlikely. Of course, customers with specific questions should contact Trustwave support.

Trustwave will continue to monitor this vulnerability and update protections and detections as needed.

Additional Resources:

Latest Trustwave Blogs

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More

Balancing Innovation and Security: How Offensive Security Can Help Navigate the Tech Industry’s Dual Challenges

Two of the greatest threats facing technology-focused organizations are their often-quick adoption of new technologies, such as artificial intelligence (AI), without taking security measures into...

Read More

Trustwave Government Solutions (TGS) Salutes New Mexico’s New Cybersecurity Executive Order

New Mexico Governor Michelle Lujan Grisham issued an Executive Order to shore up the state’s cybersecurity readiness and better safeguard sensitive data by conducting a state-wide security assessment...

Read More