Shellshocked
Network Box Security Response has been tracking an emerging vulnerability in the common BASH (Bourne-Again SHell). This vulnerability, labelled CVE-2014-6271 (also known as Shellshock), has the capability of being remote exploited. Early reports, and metrics we are seeing, are showing increased scanning activity against this vulnerability, and the first exploits are expected very soon. It is also possible that a network worm (the first we will have seen for some time) may take advantage of this issue.
Network Box Security Response has raised our Security Response Threat Level to 3, and we are closely monitoring the situation. Should we begin to see successful active exploit of this vulnerability, it is likely that we will raise our Threat Level to 4 in the coming hours.
A short summary of the vulnerability is that it affects Unix/Linux/BSD based servers, and involves the bash shell. To successfully exploit the vulnerability, (a) the attacker must be able to set the content of environment variables on the remote system to values of his choosing, and (b) the application hosting those environment variables must then execute the bash shell. This vulnerability exploits an issue in the core bash shell present with the vast majority of unix and linux like operating systems, and often used as the default shell. It is particularly concerning for web applications built on CGI script frameworks (as request headers are packaged into environment variables).
Network Box Security Response has reviewed our threat landscape and has confirmed that the version of bash shell in both NBRS 3 and NBRS 5 appliances is potentially vulnerable. A review of the NBRS-3 platform has identified several possible attack vectors, but all would require Administrative credentials and would only be exploitable from the LAN side. A review of the NBRS-5 platform has not identified any feasible attack vectors.
Nevertheless, for peace of mind, we released out-of-cycle patches for both NBRS-3 and NBRS-5, to detect and block this exploit. Our security response centers have already deployed those patches to all Network Box devices under management.
Regarding potential exploit of protected customer systems, the issue is not so clear. That is a potentially very large attack surface, and this vulnerability is so fundamental that it will be hard to produce signatures to protect vulnerable systems 100%. We do, however, have NBIDPS (Network Box Intrusion Detection and Protection System) signatures for both NBRS-3 and NBRS-5, and WAF+ (Web Application Firewall Plus) signatures for our NBRS-5 WAF+ platform. These are currently finalizing testing and will be PUSHed within the next hour. These signatures provide some protection for the most vulnerable HTTP servers.
Network Box Security Response urges all customers running Unix/Linux/BSD to follow their supplier recommendations and patch appropriately, as a matter of urgency.
We will continue to closely monitor the situation, and update you further should we learn anything new.