A recently discovered hole in the security of the Bourne-Again Shell (bash) has the majority of Unix/Linux (including OS X) admins sweating bullets. You should be, too - attackers are actively exploiting the vulnerability on un-patched web servers, network services and daemons that use shell scripts with environment variables (this can include network equipment, industrial devices, etc.). So, what can you do to protect your environment? Join us for a live demo covering: *Insights from Jaime Blasco, Director of AlienVault Labs on how attackers are exploiting this vulnerability *Practical tips to minimize your exposure to attack *How AlienVault USM can detect the bash vulnerability, and alert you of active attacks

2. @AlienVault
About AlienVault
AlienVault has unified the security products, intelligence and
community essential for mid-sized businesses to defend against
today’s modern threats

3. @AlienVault
Agenda
What is the bash vulnerability?
Practical tips to minimize your exposure to attack
Insights on how attackers are exploiting this vulnerability
(with Jaime Blasco, AlienVault Labs Director)
How AlienVault USM can detect the bash vulnerability,
and alert you of active attacks (Demo with victor Obando,
systems engineer)

4. Allows an attacker to inject malicious code inline with a shell command
following the definition of an environmental variable
curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/
@AlienVault
What Is The Bash Vulnerability?
Prior to fixing this vulnerability, variables starting with “() { :; };” were treated
as executable commands rather than text strings.
In the case of a http header (something an attacker controls), this
vulnerability can be used to compromise the variable definition in the web
server itself
HTTP_USER_AGENT=() { :; }; /bin/eject

5. @AlienVault
Am I Vulnerable?
Do you have externally facing *nix (Unix, Linux, Mac OS,
etc) servers that utilize the bash shell?
Do you have web applications making calls to the bash shell
on these servers with elevated privileges?
Have you neglected to apply your OS vendor’s patch that
addresses this vulnerability?
If the answer is YES to any of the questions above, you could
be vulnerable…

6. Non-Server Vulnerabilities
Devices with embedded Linux could potentially be running
unpatched bash that is either not supported (patch will not be
released) or near impossible to upgrade.
@AlienVault
• Routers
• Switches
• Firewalls
• Other Network Appliances

7. @AlienVault
How To Test If You Are Vulnerable
In the bash shell, enter the following command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

8. @AlienVault
If Your Test Returns This…
…Then You’re Not Vulnerable

9. @AlienVault
However, If You See This…
…Then You Might Be In Trouble

10. How Do I Defend Myself?
Patch your servers
• Really, this is the easiest, most effective, and the only real way to “fix” this
@AlienVault
vulnerability
• Supported Ubuntu/Debian (apt-get)
- sudo apt-get update && sudo apt-get install --only-upgrade bash
• Supported CentOS / RedHat / Fedora
- sudo yum update bash
• Apple OS X
- Patch update available from the Apple support site.
• For unsupported operating systems, you will have to update to a supported
version first, then apply the patch.

11. @AlienVault
How Do I Defend Myself?
Sanitize your web application’s inputs
• Related to defense against Cross-Site Scripting and SQL
injection attacks, make sure that inputs are validated and
sanitized.
Disable any calls to bash under elevated privileges
• Obviously disable any CGIs that make call to the shell
Use another shell??
• Probably not the best idea, especially since commands in bash
may not translate to other shells

12. @AlienVault
Attack Vectors
Attackers are exploiting the vulnerability
using the following protocols:
- HTTP Headers
- DHCP
- SIP
- Mail (Ex: Qmail, Postfix)
- OpenVPN
- FTP (Ex: Pure-FTPd)
- DNS

13. @AlienVault
Post exploitation
Once the attackers find a way to exploit the vulnerability
they download and execute a payload, example:
- The malware is a Linux ELF executable that makes the infected system join a
bonet. It has the following capabilities:
- PING
- GETLOCALIP
- SCANNER
- HOLD
- JUNK (DoS Flood)
- UDP (DoS Flood)
- TCP (DoS Flood)
- KILLATTK

14. @AlienVault
Spotting Shellshock in USM
Malicious Sources added to OTX
Threat intelligence
• Multiple IDS Signatures Including:
2019231 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI
2019232 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers
2019233 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in ClientBody
2019234 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2
2019236 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number
2019237 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 15
2019238 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67
Correlation Directives to Detect and Alarm:
Exploitation & Installation, Service Exploit, Bash - CVE-2014-6271
Reconnaissance & Probing, Service Exploit, Bash - CVE-2014-6271

15. Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software
Inventory
Vulnerability Assessment
• Network Vulnerability Testing
• Remediation Verification
Threat Detection
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
Behavioral Monitoring
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
Security Intelligence
• SIEM Event Correlation
• Incident Response
@AlienVault

16. @AlienVault
DEMO TIME!

17. More Questions?
Email Hello@alienvault.com
NOW FOR SOME Q&A…
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Product Sandbox
http://www.alienvault.com/live-demo-site