Last week the internet blew up with news of an emerging threat called "Shellshock" that has made waves throughout the security community by earning a CVSS score of 10.0, the most severe. As a security practitioner you need to know what Shellshock is, how it works and how to protect your organization from being exploited by it.
The threat level for this vulnerability, also known as GNU Bash CVE-2014-6271 Remote Code Execution Vulnerability, is so high due to the ease by which it can be exploited. In fact, active exploits already are underway. We urge all organizations to do the following:
Identify - Use vulnerability scanners to help determine which systems are vulnerable to known attack vectors.
Patch - Apply all relevant patches from vendors to update Bash, the command-line shell commonly used in Linux, Unix and Mac OS X operating systems.
Protect - Protect systems from attack attempts with security services and technologies, such as web application firewalls.
Trustwave can help protect your organization from attacks attempting to exploit Shellshock. In addition to rules and signatures already built into many of our security services and technologies that protected customers immediately, Trustwave has added new detections and protections-specifically aimed at the Shellshock vulnerability-to a variety of our security offerings.
How Trustwave can help you detect Shellshock:
Trustwave App Scanner (formerly known as Cenzic Hailstorm) includes a new SmartAttack™ detection for the Shellshock remote code execution vulnerability. Update 7.2.230 should have downloaded automatically, but you will need to manually apply the system update. Log on to the web client with your administrator user ID, then go to: Administration » Server settings » System update, and click on "Apply System Update." Once the system restarts, detection is active via Web Server Vulnerabilities SmartAttack.
Trustwave Vulnerability Management (including both internal and external vulnerability scanning) can help detect remotely exploitable instances of the Shellshock vulnerability via the CGI vector when you perform scans using the latest update (see: TrustKeeper Scan Engine Update - September 29, 2014). No action is required to receive this update, as it is applied automatically. Additional support for other attack vectors is planned. For customers looking to see if this vulnerability is present in a scan report, it will be listed as "GNU Bash Shellshock Remote Code Execution Vulnerability."
Trustwave Intrusion Detection features new signatures to help detect the most common types of activity associated with exploiting this vulnerability.
Trustwave SIEM features a new update package ['NU-bash_shellshock_list_update'] customers can download that will install the dynamic list "ShellShock Bash Vulnerability Signature Events," which contains event ID's matching ShellShock signatures from various intrusion detection and intrusion prevention devices. The list can be used in conjunction with event explorer searches, reports and notifications to help identify ShellShock events. This update is available for SIEM LME 1.2.1. SIEM Enterprise/SIEM LME 2.x support is coming shortly, and SIEM OE is available upon request. We plan to release new versions of the update package, which will be available in the TrustKeeper portal or from Trustwave support, as additional signatures are released.
How Trustwave can help you block Shellshock:
Trustwave Web Application Firewall (as well as our Managed Web Application Firewall) already had signatures for "OS Command Injection" attacks to help catch the majority of attack payloads. We've also added a new, specific signature to help detect Shellshock exploit attempts. This signature is part of the 4.33 Rules Update package that should be automatically updated by default if you are running Trustwave Web Application Firewall version 7 or higher. Users running an older version of Trustwave WAF may require some manual updating and can contact Trustwave support for more information.
ModSecurity (open source) Web Application Firewall also provides generic protections for "OS Command Injection" attacks through the free OWASP ModSecurity Core Rule Set (CRS). For those clients who have purchased the Trustwave ModSecurity Commercial Rules feed, we've already updated that with rules to help thwart attempts to exploit this vulnerability.
A final note:
All Trustwave services and products have been tested to determine if they contain the Shellshock vulnerability. Most either do not use or expose the CGI Shell (a common attack vector for this bug is by executing CGI scripts on web servers), have already been patched, or have been tested and it has been determined that the nature of our devices makes exploit unlikely. Of course, customers with specific questions should contact Trustwave support.
Trustwave will continue to monitor this vulnerability and update protections and detections as needed.
Additional Resources: