ibm shellshock

©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,

other countries or both. Other company, product or service names may be trademarks or service marks of others.

EXECUTIVE SUMMARY AND

THREAT RESPONSE (FINAL REPORT)

OCTOBER 8, 2014

IBM SHELLSHOCK



Contents

ABOUT SHELLSHOCK/EXECUTIVE OVERVIEW ...................................................................................................... 3 VULNERABLE SECURITY PRODUCTS MANAGED BY IBM ....................................................................................... 3 VULNERABLE IBM PRODUCTS ............................................................................................................................. 4 MSS CUSTOMER IMPACT .................................................................................................................................... 4 ACTIONS MSS HAVE TAKEN ................................................................................................................................ 4 TECHNICAL ANALYSIS ......................................................................................................................................... 5 ALERT METRICS .................................................................................................................................................. 6

TOTAL EVENT COUNT BY INDUSTRY .................................................................................................................................... 6 TOTAL ALERT COUNTS BY DAY ........................................................................................................................................... 7 TYPES OF ATTACK VECTORS SEEN ........................................................................................................................................ 7

HOW YOU CAN REMAIN INFORMED ................................................................................................................... 8 RECOMMENDATIONS/MITIGATION TECHNIQUES ............................................................................................... 8 SIGNATURES ...................................................................................................................................................... 9

IBM .............................................................................................................................................................................. 9 CISCO ........................................................................................................................................................................... 9 MCAFEE ........................................................................................................................................................................ 9 CHECK POINT .................................................................................................................................................................. 9 AKAMAI ......................................................................................................................................................................... 9 SOURCEFIRE .................................................................................................................................................................... 9 PALO ALTO ..................................................................................................................................................................... 9 FORTINET .................................................................................................................................................................. 10 JUNIPER ....................................................................................................................................................................... 10

REFERENCES .................................................................................................................................................... 10 CVE’S .......................................................................................................................................................................... 10 ADDITIONAL ................................................................................................................................................................. 11

DISCLAIMER ..................................................................................................................................................... 12



ABOUT SHELLSHOCK/EXECUTIVE OVERVIEW

On September 24, 2014 a vulnerability (CVE-2014-6271) was disclosed in the Bash shell, a UNIX Shell widely used on

Linux, Solaris and Mac OS systems. This flaw, which has actually existed for over 20 years, may allow attackers to

gain unauthorized access and unauthorized information. The risk is extremely serious due to (1) the ubiquity of

BASH, (2) the ease of exploitation, and (3) the ease of automation.

In response to this disclosure, on September 25th, IBM Managed Security Services declared an “Internet

Emergency” and raised the Internet threat level to AlertCon 3. The Threat Research Group and the Threat

Response Team were engaged conducting active analysis and reporting keeping all clients informed on the

situation. On the evening of October 2nd, due to the decrease in detected attack activity and the lack of any verified

compromises, IBM Managed Security Services lowered the Internet threat level to AlertCon 2. Consequently, IBM

Managed Security Services lowered the threat level back down to AlertCon 1 the morning of October 8th bringing

the ShellShock threat escalation to an end.

The MSS Threat research group has actually published two papers which contain information applicable to this

situation. The attacks being witnessed are in fact very similar to what is detailed in the “MuBot” research paper.

The “Shell Command Injection” paper is also relevant. Shellshock is a good example of a growing trend we are

seeing on the attacker front called "malware-less" attacks. Attackers are looking to exploit existing functionality

rather than risking malware detection that would thwart their success.

VULNERABLE SECURITY PRODUCTS MANAGED BY IBM

IBM Managed Security Services (MSS) is worked closely with our product partners to assess the 40+ supported

security platforms to determine (1) if they are vulnerable and (2) if a patch exists or when a patch will be available.

Any platforms that are vulnerable will be scheduled for maintenance and executed in accordance with existing

change management practices. If patching is required, clients will be notified via MSS device maintenance Security

Advisory Requests.

Platform Update Status:

https://portal.mss.iss.net/mss/downloads.mss?downloadId=P00000005000673&type=standard

Vendor Platform Overview:






VULNERABLE IBM PRODUCTS

Affected IBM products will be issuing fixes as soon as possible. Please actively monitor both your IBM Support

Portal for available fixes and this blog for additional information.

https://www-304.ibm.com/connections/blogs/PSIRT/entry/bash_vulnerable_to_cve_2014_6271_and_cve_2014_7169

MSS CUSTOMER IMPACT

All IBM Managed Security Services customers should now have coverage for this vulnerability through one of the

signatures listed below in the “Signatures” section of this document. As of this time, we have not received any

reports of any verified compromises through the use of this exploit.

Since this vulnerability was disclosed, MSS observed nearly a 1000% increase in attack signatures across its

customer base. The activity reached its peak on September 27th and has been on a steady decline ever since.

Attack metrics can be seen in the “Alert Metrics” section located a few sections down in this document.

ACTIONS MSS HAVE TAKEN

MSS adjusted the focus of the Threat Response Team on September 24 by moving into high vigilance and will

remain at this state until this threat is acceptably mitigated.

MSS raised the threat level to AlertCon 2 on September 24 and posted information about this vulnerability and

related attacks on the MSS portal. MSS will continue to update this information as the situation changes. MSS

subsequently declared the situation an “Internet Emergency” and raised the threat level to AlertCon 3 on

September 25 due to the extent of the active exploitation observed and the inclusion of the exploit in the

metasploit toolkit – a simple way for less knowledgeable hackers to exploit vulnerabilities.

IBM is working with product vendors to assess the supported 40+ security platforms to get timetables for

patches and signatures. Clients will be notified via MSS device maintenance Security Advisory Requests if

patching is required.

MSS is coordinating with IBM CSIRT, PSIRT, X-Force, and ERS teams.

MSS is updating our vulnerability scanners to be able to detect this vulnerability for our customers.

IBM’s MSS Threat Intelligence and Threat Response teams hosted multiple live customer briefings on Shellshock

to review the latest updates and will continue to do so as long as required.

XPU 34.091 for IBM products was released on Friday, September 26th. In this XPU is the new signature

“HTTP_Bash_Shell_Function_Exec”. This signature is being deployed to all customers in accordance with

maintenance policy.

XPU 34.092 for IBM products was released on Wednesday October 1st. This XPU is providing additional

signatures to cover new attack vectors (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169) for this disclosure.

The new signatures are: DHCP6_Bash_Shell_Function_Exec, DHCP_Bash_Shell_Function_Exec,

http://www-947.ibm.com/support/entry/portal/support

http://www-947.ibm.com/support/entry/portal/support




SIP_Bash_Shell_Function_Exec and SMTP_Bash_Shell_Function_Exec. These signatures are being deployed to

all customers in accordance with maintenance policy.

On the evening of October 2nd, due to a decrease in detected attack activity, MSS lowered the threat level to

AlertCon 2.

The morning of October 8, 2014, IBM MSS decreased the internet threat level down to AlertCon 1.

TECHNICAL ANALYSIS

If an environment variable contains a function definition with additional shell commands outside of the function definition, then the additional shell commands will be executed when bash is invoked. Ordinarily, bash runs in the context where the environment variable is defined which would only allow a user to perform previously authorized activity. However, in the case where environment variables are specified in a different security domain, it is possible to exploit this vulnerability to execute arbitrary shell commands. Likely targets include SSH configurations that use the ForceCommand or similar options, web servers that allow CGI scripts, and DCHP clients that connect to malicious DHCP servers. Apache PHP configurations using mod_php should not be affected. Don't assume that you are not vulnerable just because you don't run SSH, HTTP, or DHCP clients. You can check to see if you are vulnerable by running the following command within the shell you are testing. If you get “vulnerable” returned, you’re at risk. If not, you are probably not vulnerable. env X="() { :;} ; echo vulnerable" /bin/bash -c "echo this is a test"

ShellShock bug can be explained in this example string.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The first part of the string consists of env x='() { :;}; echo vulnerable'. Operating normally, this would spawn a sub process and assign a environmental variable the value ":;". However the bug exists that BASH does not stop parsing the command at the } and continues on and executes in the sub process any valid BASH command that follows }. To force this bug to work, BASH needs to be run after the last ' with some command. The trailing command runs at current user's permissions level. However the damage was already done earlier in the string.



ALERT METRICS

TOTAL EVENT COUNT BY INDUSTRY



TOTAL ALERT COUNTS BY DAY

TYPES OF ATTACK VECTORS SEEN

Listed below are the top 5 attack vectors IBM MSS has been tracking.

Email Recon

Multiple Perlbot Variants

Password Retrieval Attempts

Perl Reverse Shell

PHP Exec Attacks



HOW YOU CAN REMAIN INFORMED

IBM X-Force Security Advisory

http://www.iss.net/threats/488.html

MSS Virtual SOC Portal:

https://portal.mss.iss.net/mss/login.mss

IBM Product Support Site:


IBM MSS Threat Research:

https://portal.sec.ibm.com/mss/html/en_US/support_resources/threat_papers.html

RECOMMENDATIONS/MITIGATION TECHNIQUES

It is recommended to monitor your distribution and apply updates as they become available. Be vigilant as initial

patches appear to be incomplete. At the time of this writing many of these patches are insufficient and do not fully

mitigate the concern. Some web application firewall vendors have coverage for this vulnerability. If you have the

IBM Managed Web Defense you can request the implementation of the available Web Application Firewall rules.

Vulnerability scanning your entire unix/linux infrastructure will give you far greater understanding of where to focus

your patching efforts. Systems that are susceptible to web based attacks should remain critical until fully patched.

QRadar Vulnerability Manager can help identify these hosts and add severity to attacks against the exploit.

Documentation on how to setup QVM to detect shellshock can be found here:

https://www.ibm.com/developerworks/community/forums/html/topic?id=dda03f00-5719-4546-a3b3-

330c0da4bd93&ps=25

Command injection attacks have been increasingly popular over the past few years. With shellshock putting a

spotlight on the attack technique, it’s likely that many more applications will be scrutinized looking for similar holes.

It is critically important that you utilize systems such as IDS/IPS to detect and block new attacks based on technique

rather than specific vulnerabilities. This will help you achieve a better proactive stance against unknown

vulnerabilities in the future.

Specific IDS/IPS coverage for this vulnerability is detailed in the “Signatures” section below.

http://www.iss.net/threats/488.html

https://portal.mss.iss.net/mss/login.mss


https://portal.sec.ibm.com/mss/html/en_US/support_resources/threat_papers.html

https://www.ibm.com/developerworks/community/forums/html/topic?id=dda03f00-5719-4546-a3b3-330c0da4bd93&ps=25

https://www.ibm.com/developerworks/community/forums/html/topic?id=dda03f00-5719-4546-a3b3-330c0da4bd93&ps=25



SIGNATURES

IBM

HTTP_Bash_Shell_Function_Exec

Shell_Command_Injection

DHCP_Bash_Shell_Function_Exec (Signature has been detected throwing false positives. Being investigated.)

DHCP6_Bash_Shell_Function_Exec

SIP_Bash_Shell_Function_Exec

SMTP_Bash_Shell_Function_Exec

CISCO

Bash Environment Variable Command Injection sig 4689.0




MCAFEE

Apache mod_cgi Bash Environment Variable Code Injection

CHECK POINT

GNU Bash Remote Code Execution

AKAMAI

Rule ID 3000025 - CVE-2014-6271 Bash Command Injection Attack

Rule ID 3000026 - CVE-2014-6271 Bash Command Injection Attack (No args)

SOURCEFIRE

1 31975 OS-OTHER Bash CGI environment variable injection attempt off drop drop




PALO ALTO

Bash Remote Code Execution Vulnerability



FORTINET

Bash.Function.Definitions.Remote.Code.Execution

JUNIPER

HTTP:CGI:BASH-CODE-INJECTION - HTTP: Multiple Products Bash Code Injection Vulnerability

REFERENCES

CVE’S

CVE-2014-6271 - The original vulnerability. This vulnerability is easily exploited to allow remote attackers to

execute commands of their choice.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

CVE-2014-7169 - The fix for CVE-2014-6271 failed to account for some edge cases. A remote attacker could take

advantage of this to cause unintended side effects in a remote process, most likely a crash, but if the attacker had

knowledge of the remote process, it may have still been possible to compromise the remote host (although this has

not been demonstrated).


CVE-2014-7186 & CVE-2014-7187 - These are additional memory corruption bugs found during continued audit of

bash. There's no definitive proof that these are exploitable, but fuzzing results show that the instruction pointer

can be set to attacker supplied values and bash isn't typically complied with ASLR or other exploitation mitigation

techniques.



CVE-2014-6277 & CVE-2014-6278 - Michal Zalewski (lcamtuf) has discovered additional vulnerabilities in the bash

parser. This CVE-2014-6278 is as easy to exploit as the original CVE-2014-6271.











ADDITIONAL

The currently accepted way to patch these vulnerabilities is to use Florian Weimer's prefix/suffix patch which places

function exports in a separate namespace where they won't be evaluated by the parser. This prevents the attacker-

supplied input from being executed in all known cases. Most Linux vendors have accepted this patch and the

upstream bash maintainer has also adopted a similar patch. Expect additional (non-security) patches to reconcile

the differences.

http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html

http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

Local systems can be tested to determine whether a prefix/suffix patch has been applied using bashcheck from

Hanno Böck:

https://github.com/hannob/bashcheck

http://www.openwall.com/lists/oss-security/2014/09/25/13

http://seclists.org/oss-sec/2014/q3/650


https://access.redhat.com/articles/1200223

https://rhn.redhat.com/errata/RHSA-2014-1306.html

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00042.html

http://www.ubuntu.com/usn/usn-2364-1/

http://www.forbes.com/sites/jameslyne/2014/09/25/shellshocked-vulnerability-why-you-are-at-risk-and-

heartbleed-3-0b/

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

https://www.invisiblethreat.ca/2014/09/cve-2014-6271/


http://lists.centos.org/pipermail/centos/2014-September/146099.html

https://lists.debian.org/debian-security-announce/2014/msg00220.html

http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html

http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

https://github.com/hannob/bashcheck

http://www.openwall.com/lists/oss-security/2014/09/25/13



https://access.redhat.com/articles/1200223

https://rhn.redhat.com/errata/RHSA-2014-1306.html

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00042.html

http://www.ubuntu.com/usn/usn-2364-1/

http://www.forbes.com/sites/jameslyne/2014/09/25/shellshocked-vulnerability-why-you-are-at-risk-and-heartbleed-3-0b/

http://www.forbes.com/sites/jameslyne/2014/09/25/shellshocked-vulnerability-why-you-are-at-risk-and-heartbleed-3-0b/



https://www.invisiblethreat.ca/2014/09/cve-2014-6271/


http://lists.centos.org/pipermail/centos/2014-September/146099.html

https://lists.debian.org/debian-security-announce/2014/msg00220.html



DISCLAIMER

This document is intended to inform clients of IBM Security Services of a threat or discovery by IBM Managed

Security Services and measures undertaken or suggested by IBM Security Service Teams to remediate the threat.

The data contained herein describing tactics, techniques and procedures is classified Confidential for the benefit of

IBM MSS clients only. This information is provided “AS IS,” and without warranty of any kind.

ibm shellshock

Documents

Transcript of ibm shellshock