SID 1:31976

Rule Category

OS-OTHER -- Snort has detected traffic targeting vulnerabilities in a non-standard operating system (not Windows, Linux, Solaris, or mobile). This does not include browser traffic or other software on the OS, but attacks against the OS itself.

Alert Message

OS-OTHER Bash CGI environment variable injection attempt

Rule Explanation

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. Impact: CVSS base score 10.0 CVSS impact score 10.0 CVSS exploitability score 10.0 confidentialityImpact COMPLETE integrityImpact COMPLETE availabilityImpact COMPLETE Details: GNU Bash versions through 4.3 process trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi, and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Recommendations: Upgrade to the latest non-affected version of software and apply the appropriate vendor-supplied patches. Ensure your anti-malware software has up-to-date signatures. The internal host should be checked for potential compromise. Effective use of Cisco Sourcefire Next-Generation Intrusion Prevention System (NGIPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability. The Sourcefire Snort SIDs for this vulnerability are 1:31975 through 1:31978. Talos has added coverage for this vulnerability in the 2014-09-24 release. Effective use of Cisco Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability. The corresponding Signature IDs for Cisco IPS, written for the vulnerability, are 4689/0, 4689/1, 4689/2, and 4689/3 which are included as part of Cisco IPS Signature Update Package S824 (September 24, 2014). Administrators can configure IPS sensors to perform an event action when an attack is detected. The configured event action performs preventive or deterrent controls to help protect against an attack that is attempting to exploit the GNU Bash Environment Variable Command Injection Vulnerability. An IPS device that is not placed inline and configured to drop malicious packets will only alert on attempts to exploit this vulnerability and will not prevent (mitigate) these attempts from becoming successful. Ease of Attack:

What To Look For

This rule will alert when an attempt to exploit a known command injection vulnerability in Bash is detected.

Known Usage

No public information

False Positives

No known false positives

Contributors

Talos research team. This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology. For more information see [nvd].