©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
EXECUTIVE SUMMARY AND
THREAT RESPONSE (FINAL REPORT)
OCTOBER 8, 2014
IBM SHELLSHOCK
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
Contents
ABOUT SHELLSHOCK/EXECUTIVE OVERVIEW ...................................................................................................... 3 VULNERABLE SECURITY PRODUCTS MANAGED BY IBM ....................................................................................... 3 VULNERABLE IBM PRODUCTS ............................................................................................................................. 4 MSS CUSTOMER IMPACT .................................................................................................................................... 4 ACTIONS MSS HAVE TAKEN ................................................................................................................................ 4 TECHNICAL ANALYSIS ......................................................................................................................................... 5 ALERT METRICS .................................................................................................................................................. 6
TOTAL EVENT COUNT BY INDUSTRY .................................................................................................................................... 6 TOTAL ALERT COUNTS BY DAY ........................................................................................................................................... 7 TYPES OF ATTACK VECTORS SEEN ........................................................................................................................................ 7
HOW YOU CAN REMAIN INFORMED ................................................................................................................... 8 RECOMMENDATIONS/MITIGATION TECHNIQUES ............................................................................................... 8 SIGNATURES ...................................................................................................................................................... 9
IBM .............................................................................................................................................................................. 9 CISCO ........................................................................................................................................................................... 9 MCAFEE ........................................................................................................................................................................ 9 CHECK POINT .................................................................................................................................................................. 9 AKAMAI ......................................................................................................................................................................... 9 SOURCEFIRE .................................................................................................................................................................... 9 PALO ALTO ..................................................................................................................................................................... 9 FORTINET .................................................................................................................................................................. 10 JUNIPER ....................................................................................................................................................................... 10
REFERENCES .................................................................................................................................................... 10 CVE’S .......................................................................................................................................................................... 10 ADDITIONAL ................................................................................................................................................................. 11
DISCLAIMER ..................................................................................................................................................... 12
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
ABOUT SHELLSHOCK/EXECUTIVE OVERVIEW
On September 24, 2014 a vulnerability (CVE-2014-6271) was disclosed in the Bash shell, a UNIX Shell widely used on
Linux, Solaris and Mac OS systems. This flaw, which has actually existed for over 20 years, may allow attackers to
gain unauthorized access and unauthorized information. The risk is extremely serious due to (1) the ubiquity of
BASH, (2) the ease of exploitation, and (3) the ease of automation.
In response to this disclosure, on September 25th, IBM Managed Security Services declared an “Internet
Emergency” and raised the Internet threat level to AlertCon 3. The Threat Research Group and the Threat
Response Team were engaged conducting active analysis and reporting keeping all clients informed on the
situation. On the evening of October 2nd, due to the decrease in detected attack activity and the lack of any verified
compromises, IBM Managed Security Services lowered the Internet threat level to AlertCon 2. Consequently, IBM
Managed Security Services lowered the threat level back down to AlertCon 1 the morning of October 8th bringing
the ShellShock threat escalation to an end.
The MSS Threat research group has actually published two papers which contain information applicable to this
situation. The attacks being witnessed are in fact very similar to what is detailed in the “MuBot” research paper.
The “Shell Command Injection” paper is also relevant. Shellshock is a good example of a growing trend we are
seeing on the attacker front called "malware-less" attacks. Attackers are looking to exploit existing functionality
rather than risking malware detection that would thwart their success.
VULNERABLE SECURITY PRODUCTS MANAGED BY IBM
IBM Managed Security Services (MSS) is worked closely with our product partners to assess the 40+ supported
security platforms to determine (1) if they are vulnerable and (2) if a patch exists or when a patch will be available.
Any platforms that are vulnerable will be scheduled for maintenance and executed in accordance with existing
change management practices. If patching is required, clients will be notified via MSS device maintenance Security
Advisory Requests.
Platform Update Status:
https://portal.mss.iss.net/mss/downloads.mss?downloadId=P00000005000673&type=standard
Vendor Platform Overview:
https://portal.mss.iss.net/mss/downloads.mss?downloadId=P00000005000676&type=standard
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
VULNERABLE IBM PRODUCTS
Affected IBM products will be issuing fixes as soon as possible. Please actively monitor both your IBM Support
Portal for available fixes and this blog for additional information.
https://www-304.ibm.com/connections/blogs/PSIRT/entry/bash_vulnerable_to_cve_2014_6271_and_cve_2014_7169
MSS CUSTOMER IMPACT
All IBM Managed Security Services customers should now have coverage for this vulnerability through one of the
signatures listed below in the “Signatures” section of this document. As of this time, we have not received any
reports of any verified compromises through the use of this exploit.
Since this vulnerability was disclosed, MSS observed nearly a 1000% increase in attack signatures across its
customer base. The activity reached its peak on September 27th and has been on a steady decline ever since.
Attack metrics can be seen in the “Alert Metrics” section located a few sections down in this document.
ACTIONS MSS HAVE TAKEN
MSS adjusted the focus of the Threat Response Team on September 24 by moving into high vigilance and will
remain at this state until this threat is acceptably mitigated.
MSS raised the threat level to AlertCon 2 on September 24 and posted information about this vulnerability and
related attacks on the MSS portal. MSS will continue to update this information as the situation changes. MSS
subsequently declared the situation an “Internet Emergency” and raised the threat level to AlertCon 3 on
September 25 due to the extent of the active exploitation observed and the inclusion of the exploit in the
metasploit toolkit – a simple way for less knowledgeable hackers to exploit vulnerabilities.
IBM is working with product vendors to assess the supported 40+ security platforms to get timetables for
patches and signatures. Clients will be notified via MSS device maintenance Security Advisory Requests if
patching is required.
MSS is coordinating with IBM CSIRT, PSIRT, X-Force, and ERS teams.
MSS is updating our vulnerability scanners to be able to detect this vulnerability for our customers.
IBM’s MSS Threat Intelligence and Threat Response teams hosted multiple live customer briefings on Shellshock
to review the latest updates and will continue to do so as long as required.
XPU 34.091 for IBM products was released on Friday, September 26th. In this XPU is the new signature
“HTTP_Bash_Shell_Function_Exec”. This signature is being deployed to all customers in accordance with
maintenance policy.
XPU 34.092 for IBM products was released on Wednesday October 1st. This XPU is providing additional
signatures to cover new attack vectors (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169) for this disclosure.
The new signatures are: DHCP6_Bash_Shell_Function_Exec, DHCP_Bash_Shell_Function_Exec,
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
SIP_Bash_Shell_Function_Exec and SMTP_Bash_Shell_Function_Exec. These signatures are being deployed to
all customers in accordance with maintenance policy.
On the evening of October 2nd, due to a decrease in detected attack activity, MSS lowered the threat level to
AlertCon 2.
The morning of October 8, 2014, IBM MSS decreased the internet threat level down to AlertCon 1.
TECHNICAL ANALYSIS
If an environment variable contains a function definition with additional shell commands outside of the function definition, then the additional shell commands will be executed when bash is invoked. Ordinarily, bash runs in the context where the environment variable is defined which would only allow a user to perform previously authorized activity. However, in the case where environment variables are specified in a different security domain, it is possible to exploit this vulnerability to execute arbitrary shell commands. Likely targets include SSH configurations that use the ForceCommand or similar options, web servers that allow CGI scripts, and DCHP clients that connect to malicious DHCP servers. Apache PHP configurations using mod_php should not be affected. Don't assume that you are not vulnerable just because you don't run SSH, HTTP, or DHCP clients. You can check to see if you are vulnerable by running the following command within the shell you are testing. If you get “vulnerable” returned, you’re at risk. If not, you are probably not vulnerable. env X="() { :;} ; echo vulnerable" /bin/bash -c "echo this is a test"
ShellShock bug can be explained in this example string.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
The first part of the string consists of env x='() { :;}; echo vulnerable'. Operating normally, this would spawn a sub process and assign a environmental variable the value ":;". However the bug exists that BASH does not stop parsing the command at the } and continues on and executes in the sub process any valid BASH command that follows }. To force this bug to work, BASH needs to be run after the last ' with some command. The trailing command runs at current user's permissions level. However the damage was already done earlier in the string.
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
ALERT METRICS
TOTAL EVENT COUNT BY INDUSTRY
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
TOTAL ALERT COUNTS BY DAY
TYPES OF ATTACK VECTORS SEEN
Listed below are the top 5 attack vectors IBM MSS has been tracking.
Email Recon
Multiple Perlbot Variants
Password Retrieval Attempts
Perl Reverse Shell
PHP Exec Attacks
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
HOW YOU CAN REMAIN INFORMED
IBM X-Force Security Advisory
http://www.iss.net/threats/488.html
MSS Virtual SOC Portal:
https://portal.mss.iss.net/mss/login.mss
IBM Product Support Site:
https://www-304.ibm.com/connections/blogs/PSIRT/entry/bash_vulnerable_to_cve_2014_6271_and_cve_2014_7169
IBM MSS Threat Research:
https://portal.sec.ibm.com/mss/html/en_US/support_resources/threat_papers.html
RECOMMENDATIONS/MITIGATION TECHNIQUES
It is recommended to monitor your distribution and apply updates as they become available. Be vigilant as initial
patches appear to be incomplete. At the time of this writing many of these patches are insufficient and do not fully
mitigate the concern. Some web application firewall vendors have coverage for this vulnerability. If you have the
IBM Managed Web Defense you can request the implementation of the available Web Application Firewall rules.
Vulnerability scanning your entire unix/linux infrastructure will give you far greater understanding of where to focus
your patching efforts. Systems that are susceptible to web based attacks should remain critical until fully patched.
QRadar Vulnerability Manager can help identify these hosts and add severity to attacks against the exploit.
Documentation on how to setup QVM to detect shellshock can be found here:
https://www.ibm.com/developerworks/community/forums/html/topic?id=dda03f00-5719-4546-a3b3-
330c0da4bd93&ps=25
Command injection attacks have been increasingly popular over the past few years. With shellshock putting a
spotlight on the attack technique, it’s likely that many more applications will be scrutinized looking for similar holes.
It is critically important that you utilize systems such as IDS/IPS to detect and block new attacks based on technique
rather than specific vulnerabilities. This will help you achieve a better proactive stance against unknown
vulnerabilities in the future.
Specific IDS/IPS coverage for this vulnerability is detailed in the “Signatures” section below.
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
SIGNATURES
IBM
HTTP_Bash_Shell_Function_Exec
Shell_Command_Injection
DHCP_Bash_Shell_Function_Exec (Signature has been detected throwing false positives. Being investigated.)
DHCP6_Bash_Shell_Function_Exec
SIP_Bash_Shell_Function_Exec
SMTP_Bash_Shell_Function_Exec
CISCO
Bash Environment Variable Command Injection sig 4689.0
Bash Environment Variable Command Injection sig 4689.1
Bash Environment Variable Command Injection sig 4689.2
Bash Environment Variable Command Injection sig 4689.3
MCAFEE
Apache mod_cgi Bash Environment Variable Code Injection
CHECK POINT
GNU Bash Remote Code Execution
AKAMAI
Rule ID 3000025 - CVE-2014-6271 Bash Command Injection Attack
Rule ID 3000026 - CVE-2014-6271 Bash Command Injection Attack (No args)
SOURCEFIRE
1 31975 OS-OTHER Bash CGI environment variable injection attempt off drop drop
1 31976 OS-OTHER Bash CGI environment variable injection attempt off drop drop
1 31977 OS-OTHER Bash CGI environment variable injection attempt off drop drop
1 31978 OS-OTHER Bash CGI environment variable injection attempt off drop drop
PALO ALTO
Bash Remote Code Execution Vulnerability
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
FORTINET
Bash.Function.Definitions.Remote.Code.Execution
JUNIPER
HTTP:CGI:BASH-CODE-INJECTION - HTTP: Multiple Products Bash Code Injection Vulnerability
REFERENCES
CVE’S
CVE-2014-6271 - The original vulnerability. This vulnerability is easily exploited to allow remote attackers to
execute commands of their choice.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
CVE-2014-7169 - The fix for CVE-2014-6271 failed to account for some edge cases. A remote attacker could take
advantage of this to cause unintended side effects in a remote process, most likely a crash, but if the attacker had
knowledge of the remote process, it may have still been possible to compromise the remote host (although this has
not been demonstrated).
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
CVE-2014-7186 & CVE-2014-7187 - These are additional memory corruption bugs found during continued audit of
bash. There's no definitive proof that these are exploitable, but fuzzing results show that the instruction pointer
can be set to attacker supplied values and bash isn't typically complied with ASLR or other exploitation mitigation
techniques.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187
CVE-2014-6277 & CVE-2014-6278 - Michal Zalewski (lcamtuf) has discovered additional vulnerabilities in the bash
parser. This CVE-2014-6278 is as easy to exploit as the original CVE-2014-6271.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
ADDITIONAL
The currently accepted way to patch these vulnerabilities is to use Florian Weimer's prefix/suffix patch which places
function exports in a separate namespace where they won't be evaluated by the parser. This prevents the attacker-
supplied input from being executed in all known cases. Most Linux vendors have accepted this patch and the
upstream bash maintainer has also adopted a similar patch. Expect additional (non-security) patches to reconcile
the differences.
http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html
http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
Local systems can be tested to determine whether a prefix/suffix patch has been applied using bashcheck from
Hanno Böck:
https://github.com/hannob/bashcheck
http://www.openwall.com/lists/oss-security/2014/09/25/13
http://seclists.org/oss-sec/2014/q3/650
http://seclists.org/oss-sec/2014/q3/821
https://access.redhat.com/articles/1200223
https://rhn.redhat.com/errata/RHSA-2014-1306.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00042.html
http://www.ubuntu.com/usn/usn-2364-1/
http://www.forbes.com/sites/jameslyne/2014/09/25/shellshocked-vulnerability-why-you-are-at-risk-and-
heartbleed-3-0b/
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://lists.centos.org/pipermail/centos/2014-September/146099.html
https://lists.debian.org/debian-security-announce/2014/msg00220.html
©Copyright IBM Corporation 2014. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of the IBM Corporation in the United States,
other countries or both. Other company, product or service names may be trademarks or service marks of others.
DISCLAIMER
This document is intended to inform clients of IBM Security Services of a threat or discovery by IBM Managed
Security Services and measures undertaken or suggested by IBM Security Service Teams to remediate the threat.
The data contained herein describing tactics, techniques and procedures is classified Confidential for the benefit of
IBM MSS clients only. This information is provided “AS IS,” and without warranty of any kind.