ShellShock!

Judgeneo · 25 Sep 2014 at 15:08

Security flaw effecting the whole of BASH, which is about 500m devices world wide. Bigger than heartbleed.

Working hard here to fix our estate, get busy people!

http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

Also, I know that some consumer grade routers and switches also run bash, does anyone have a manufacturer list for effected network equipment I can start checking against?

stuie · 25 Sep 2014 at 15:16

All ours are affected SLES 10 and up fortunately non of them are hot facing otherwise that would be 400+ servers needing to be patched

jfish · 25 Sep 2014 at 20:09

will it effect Cisco routers that are also DHCP servers, as far as I know DHCP servers may spawn BASH command for the backend stuff, nothing from Cisco so I assume not.

just checked out my DDWRT router, echo $SHELL and it doesnt use BASH at all .

Rroff · 25 Sep 2014 at 20:16

Looks like my NAS would potentially be vulnerable (QNAP TS-412) but its locked away from direct internet access. The rest of my routing hardware looks to be ok.

JimboTheGiant · 25 Sep 2014 at 21:57

Just had to patch all of our work servers, a couple running Plesk/CentOS and some Ubuntu 10.04 LTS amazon aws instances

jfish · 25 Sep 2014 at 22:22

looking further into Cisco stuff, if running the NX-OS which does run BASH, then it would be vulnerable to shellshock, but nothing from Cisco on what product line are effected, just the usual CVE advisory.

jfish · 26 Sep 2014 at 09:23

Cisco have released this advisory

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html

Judgeneo · 26 Sep 2014 at 11:12

jfish said:
Cisco have released this advisory

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html

Cheers, I think I've identified all the servers for one of my clients (suppliers for the other one are terribly slow...), but the network applications are harder to find. Our F5 load balancers needed to be patched too.

jfish · 26 Sep 2014 at 11:25

we are performing a penetration test via our 3rd party to confirm which systems are vulnerable so can get them patched asap then work thru the non internet facing servers later on this weekend

Frozennova · 26 Sep 2014 at 13:01

jfish said:
we are performing a penetration test via our 3rd party to confirm which systems are vulnerable so can get them patched asap then work thru the non internet facing servers later on this weekend

Why a 3rd party, it's an easy vulnerability to test for

HazardO · 26 Sep 2014 at 13:47

Apparently ASUS routers running ASUS firmware are not vulnerable.

jfish · 26 Sep 2014 at 15:01

Frozennova said:
Why a 3rd party, it's an easy vulnerability to test for

Its a full penetration testing that is to be done, done every month and this has been bought forward to today due to the vulnerabilty.

It has been outsourced, hence the 3rd party performing the test.

I myself have done some tests on internal appliance box that are not internet facing and the IBM Proventia IPS boxs are vulnerable (thry run Red Hat Linux)

Rroff · 26 Sep 2014 at 15:03

HazardO said:
Apparently ASUS routers running ASUS firmware are not vulnerable.

Yeah they seem to be secure - though my N66U is on Merlin FW but seems to be secure.

Ev0 · 26 Sep 2014 at 18:35

jfish said:
II myself have done some tests on internal appliance box that are not internet facing and the IBM Proventia IPS boxs are vulnerable (thry run Red Hat Linux)

Keep an eye on the IBM PSIRT page and also the support portal for updates, patch due on Monday (although apparently it's not really exploitable on devices).

Also note the XPU update just released which has the new decode in there, noted here.

Plus the attack is already picked up through the old Shell_Command_Injection signature which has been on devices since 2007, if you've got it enabled

Judgeneo · 29 Sep 2014 at 13:48

jfish said:
Its a full penetration testing that is to be done, done every month and this has been bought forward to today due to the vulnerabilty.

It has been outsourced, hence the 3rd party performing the test.

I myself have done some tests on internal appliance box that are not internet facing and the IBM Proventia IPS boxs are vulnerable (thry run Red Hat Linux)

Interested to know if your pentest came up with anything that wasn't expected?

Ev0 · 29 Sep 2014 at 22:29

Be interested if anything was possible with the IBM GX appliance(s), as I'd been told there wasn't an exploit vector on them

jfish · 30 Sep 2014 at 12:26

Judgeneo said:
Interested to know if your pentest came up with anything that wasn't expected?

pen test came thru successfully and none of the internet facing devices were vulnerable to the exploit.

Had a few medium alerts relating to about SSL cypher warnings on web servers, but not high alerts that would have needed urgent fix.

Ev0 · 30 Sep 2014 at 23:36

Not that you'd be telling us any of the juicy bits if there were any, but if you're only really getting SSL cipher type findings it usually means they couldn't find much

Although dont like it when testers fill a report with what amounts to a vulnerability scan.

Judgeneo · 30 Sep 2014 at 23:41

Ev0 said:
Although dont like it when testers fill a report with what amounts to a vulnerability scan.

Choose a better firm then

All all internet facing stuff got fixed last week, now is just cleaning up the rest of the estate. Many of the appliances need to be manually updated....

Ev0 · 1 Oct 2014 at 10:21

Judgeneo said:
Choose a better firm then

Wasn't talking about me receiving them, more about the practice of people calling it a pen test when all they've done is run Nessus or the like

Have seen it done in the past when I've been asked to look at tests companies have had commissioned, no trouble with the firms I've used in the past or the one I work for