[LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
Programa STIC
stic en fundacionsadosky.org.ar
Dom Sep 28 12:02:11 BRT 2014
Hola Herman
podrías dar detalles sobre la "bot" que se esta expandiendo?
Como explota la vulnerabilidad (que comandos corre), cuantos ataques
vieron y en que lapso de tiempo, de cuantos orígenes distintos, etc.
saludos,
-ivan
El 26/09/14 13:43, Herman Mereles escribió:
> Estimados,
>
> Eso es solo a efectos de verificar que un sistema es vulnerable.
> Es importante aclarar que ahora estamos detectando una "barrida"
> buscando sitios vulnerables y, en algunos casos, ya detectamos la
> expansión de una bot aprovechando la vulnerabilidad.
>
> Saludos
> ---
> El 26/09/14 09:31, Oswaldo Aguirre escribió:
>> ciertamente, pero me imagino que, al no haber ninguna
>> variable o patron que pueda ser instanciado, no hace mucha
>> diferencia, yo usaria simples, en eso concuerdo.
>>
>> en una de las referencias
>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>> usan las simples
>>
>> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>
>> saludos
>>
>>
>> On Fri, Sep 26, 2014 at 5:33 AM, Jose Luis Gaspoz <gaspozj en is.com.ar
>> <mailto:gaspozj en is.com.ar>> wrote:
>>
>> Hernán:
>>
>> ¿no están mal el tipo de comillas en la primera parte del codigo
>> del seteo de la variable? .... deberian ser comillas simples y no
>> dobles.
>>
>> Saludos
>>
>> Ing. Jose Luis Gaspoz
>> Internet Services S.A.
>> Tel: 0342-4565118
>> Cel: 342-5008523
>>
>> *From:* Herman Mereles <mailto:hmereles en senatics.gov.py>
>> *Sent:* Thursday, September 25, 2014 5:32 PM
>> *To:* Lista para discusion de seguridad en redes y sistemas
>> informaticos de la region <mailto:seguridad en lacnic.net>
>> *Subject:* Re: [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again
>> Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>
>> Raúl, compañeros,
>>
>> Este es un boletín que nosotros hemos redactado,
>>
>> Saludos
>> ---
>> El 25/09/14 a las 16:19, Raul Cabrera escibió:
>>>
>>> Del Blog Schneier on Security:
>>>
>>>
>>>
>>> *“Nasty Vulnerability found in Bash”
>>> (*https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html*)*
>>>
>>>
>>>
>>> Saludos cordiales.
>>>
>>>
>>>
>>>
>>>
>>> RAUL EDUARDO CABRERA
>>>
>>>
>>>
>>>
>>>
>>> *De:*Seguridad [mailto:seguridad-bounces en lacnic.net] *En nombre
>>> de *Fernando Gont
>>> *Enviado el:* jueves, 25 de septiembre de 2014 04:51 p.m.
>>> *Para:* Lista para discusión de seguridad en redes y sistemas
>>> informaticos de la región
>>> *Asunto:* [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again
>>> Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>>
>>>
>>>
>>> FYI
>>>
>>>
>>>
>>> -------- Forwarded Message --------
>>>
>>> *Subject: *
>>>
>>>
>>>
>>> TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>>> Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>>
>>> *Date: *
>>>
>>>
>>>
>>> Thu, 25 Sep 2014 14:10:57 -0500
>>>
>>> *From: *
>>>
>>>
>>>
>>> US-CERT mailto:US-CERT en ncas.us-cert.gov
>>>
>>> *Reply-To: *
>>>
>>>
>>>
>>> US-CERT en ncas.us-cert.gov <mailto:US-CERT en ncas.us-cert.gov>
>>>
>>> *To: *
>>>
>>>
>>>
>>> fernando en gont.com.ar <mailto:fernando en gont.com.ar>
>>>
>>>
>>>
>>> NCCIC / US-CERT
>>>
>>> National Cyber Awareness System:
>>>
>>> *TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>>> Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>> <https://www.us-cert.gov/ncas/alerts/TA14-268A>*
>>>
>>> /09/25/2014 12:56 PM EDT/
>>>
>>>
>>>
>>> Original release date: September 25, 2014
>>>
>>>
>>> Systems Affected
>>>
>>> * GNU Bash through 4.3.
>>> * Linux, BSD, and UNIX distributions including but not limited to:
>>>
>>> o CentOS
>>> <http://lists.centos.org/pipermail/centos/2014-September/146099.html>
>>> 5 through 7
>>> o Debian
>>> <https://lists.debian.org/debian-security-announce/2014/msg00220.html>
>>>
>>> o Mac OS X
>>> o Red Hat Enterprise Linux 4 through 7
>>> o Ubuntu <http://www.ubuntu.com/usn/usn-2362-1/> 10.04 LTS,
>>> 12.04 LTS, and 14.04 LTS
>>>
>>>
>>> Overview
>>>
>>> A critical vulnerability has been reported in the GNU Bourne
>>> Again Shell (Bash), the common command-line shell used in most
>>> Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could
>>> allow an attacker to remotely execute shell commands by attaching
>>> malicious code in environment variables used by the operating
>>> system [1]
>>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>.
>>> The United States Department of Homeland Security (DHS) is
>>> releasing this Technical Alert to provide further information
>>> about the GNU Bash vulnerability.
>>>
>>>
>>> Description
>>>
>>> GNU Bash versions 1.14 through 4.3 contain a flaw that processes
>>> commands placed after function definitions in the added
>>> environment variable, allowing remote attackers to execute
>>> arbitrary code via a crafted environment which enables
>>> network-based exploitation. [2
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>,
>>> 3 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>]
>>>
>>> Critical instances where the vulnerability may be exposed
>>> include: [4
>>> <https://access.redhat.com/security/cve/CVE-2014-6271>, 5
>>> <http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>]
>>>
>>> * Apache HTTP Server using mod_cgi or mod_cgid scripts either
>>> written in bash, or spawn subshells.
>>> * Override or Bypass ForceCommand feature in OpenSSH sshd and
>>> limited protection for some Git and Subversion deployments
>>> used to restrict shells and allows arbitrary command
>>> execution capabilities.
>>> * Allow arbitrary commands to run on a DHCP client machine,
>>> various Daemons and SUID/privileged programs.
>>> * Exploit servers and other Unix and Linux devices via Web
>>> requests, secure shell, telnet sessions, or other programs
>>> that use Bash to execute scripts.
>>>
>>>
>>> Impact
>>>
>>> This vulnerability is classified by industry standards as “High”
>>> impact with CVSS Impact Subscore 10 and “Low” on complexity,
>>> which means it takes little skill to perform. This flaw allows
>>> attackers to provide specially crafted environment variables
>>> containing arbitrary commands that can be executed on vulnerable
>>> systems. It is especially dangerous because of the prevalent use
>>> of the Bash shell and its ability to be called by an application
>>> in numerous ways.
>>>
>>>
>>> Solution
>>>
>>> Patches have been released to fix this vulnerability by major
>>> Linux vendors for affected versions. Solutions for CVE-2014-6271
>>> do not completely resolve the vulnerability. It is advised to
>>> install existing patches and pay attention for updated patches to
>>> address CVE-2014-7169.
>>>
>>> Many UNIX-like operating systems, including Linux distributions,
>>> BSD variants, and Apple Mac OS X include Bash and are likely to
>>> be affected. Contact your vendor for updated information. A list
>>> of vendors can be found in CERT Vulnerability Note VU#252743
>>> <http://www.kb.cert.org/vuls/id/252743> [6]
>>> <http://www.kb.cert.org/vuls/id/252743>.
>>>
>>> US-CERT recommends system administrators review the vendor
>>> patches and the NIST Vulnerability Summary for CVE-2014-7169
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>,
>>> to mitigate damage caused by the exploit.
>>>
>>>
>>> References
>>>
>>> * Ars Technica, Bug in Bash shell creates big security hole on
>>> anything with *nix in it;
>>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>>>
>>> * DHS NCSD; Vulnerability Summary for CVE-2014-6271
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
>>> * DHS NCSD; Vulnerability Summary for CVE-2014-7169
>>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>
>>> * Red Hat, CVE-2014-6271
>>> <https://access.redhat.com/security/cve/CVE-2014-6271>
>>> * Red Hat, Bash specially-crafted environment variables code
>>> injection attack
>>> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
>>>
>>> * CERT Vulnerability Note VU#252743
>>> <http://www.kb.cert.org/vuls/id/252743>
>>>
>>>
>>> Revision History
>>>
>>> * September 25, 2014 - Initial Release
>>>
>>> ------------------------------------------------------------------------
>>>
>>> This product is provided subject to this Notification
>>> <http://www.us-cert.gov/privacy/notification> and this Privacy &
>>> Use <http://www.us-cert.gov/privacy/> policy.
>>>
>>> ------------------------------------------------------------------------
>>>
>>> OTHER RESOURCES:
>>>
>>> Contact Us <http://www.us-cert.gov/contact-us/> | Security
>>> Publications <http://www.us-cert.gov/security-publications> |
>>> Alerts and Tips <http://www.us-cert.gov/ncas> | Related Resources
>>> <http://www.us-cert.gov/related-resources>
>>>
>>>
>>>
>>> STAY CONNECTED:
>>>
>>> Sign up for email updates
>>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> SUBSCRIBER SERVICES:
>>> Manage Preferences
>>> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
>>> | Unsubscribe
>>> <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.3401fc02ac14ed36b08029852a939882&destination=fernando@gont.com.ar>
>>> | Help <https://subscriberhelp.govdelivery.com/>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> This email was sent to fernando en gont.com.ar
>>> <mailto:fernando en gont.com.ar> using GovDelivery, on behalf of:
>>> United States Computer Emergency Readiness Team (US-CERT) · 245
>>> Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110
>>> <tel:%28703%29%20235-5110>
>>>
>>>
>>>
>>> Powered by GovDelivery
>>> <http://www.govdelivery.com/portals/powered-by>
>>>
>>>
>>>
>>> --
>>> Fernando Gont
>>> e-mail: fernando en gont.com.ar <mailto:fernando en gont.com.ar> || fgont en si6networks.com <mailto:fgont en si6networks.com>
>>> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> La información contenida en esta comunicación se dirige
>>> exclusivamente para el uso de la persona o entidad a quien va
>>> dirigida y otros autorizados para recibirlo. Puede contener
>>> información confidencial o legalmente protegida. Si usted no es
>>> el destinatario indicado, queda notificado de que cualquier
>>> revelación, copia, distribución o tomar cualquier acción basada
>>> en el contenido de esta información está estrictamente prohibida
>>> y puede ser ilegal. Si usted ha recibido esta comunicación por
>>> error, le rogamos nos lo notifique inmediatamente respondiendo a
>>> este correo y elimine de su sistema. SADAIC no es responsable de
>>> la transmisión correcta y completa de la información contenida en
>>> esta comunicación, ni por cualquier retraso en su recepción.
>>>
>>> The information contained in this communication is intended
>>> solely for the use of the individual or entity to whom it is
>>> addressed and others authorized to receive it. It may contain
>>> confidential or legally privileged information. If you are not
>>> the intended recipient you are hereby notified that any
>>> disclosure, copying, distribution or taking any action in
>>> reliance on the contents of this information is strictly
>>> prohibited and may be unlawful. If you have received this
>>> communication in error, please notify us immediately by
>>> responding to this email and then delete it from your system.
>>> SADAIC is neither liable for the proper and complete transmission
>>> of the information contained in this communication nor for any
>>> delay in its receipt.
>>>
>>>
>>>
>>> _______________________________________________
>>> Seguridad mailing list
>>> Seguridad en lacnic.net <mailto:Seguridad en lacnic.net>
>>> https://mail.lacnic.net/mailman/listinfo/seguridad
>>
>> ------------------------------------------------------------------------
>> _______________________________________________
>> Seguridad mailing list
>> Seguridad en lacnic.net <mailto:Seguridad en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>>
>> _______________________________________________
>> Seguridad mailing list
>> Seguridad en lacnic.net <mailto:Seguridad en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>>
>>
>>
>>
>> --
>> -----------------------------------------------------------------------------------------------------------------
>> Campaña contra el correo SPAM
>> - Solo envia el contenido importante
>> - Protege y respeta la privacidad de tus amigos.
>> - Si reenvias este correo, borra las direcciones anteriores
>> - Si lo reenvias a varias personas usa la casilla CCO .
>> - Si todos hacemos lo mismo, tambien tu estaras protegid en .
>> -----------------------------------------------------------------------------------------------------------------
>> - Send only the important text
>> - Protect and respect your friends' privacy
>> - Delete previous addresses from message body
>> - Use the BCC field when sending to several recipients
>> - If we all follow these guidelines, we'll all be protected.
>>
>>
>> _______________________________________________
>> Seguridad mailing list
>> Seguridad en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>
>
> --
> Herman Mereles, Director
> Equipo de Respuesta ante Emergencias Cibernéticas (CERT-PY)
> Secretaría Nacional de Tecnologías de la Información y Comunicación
> SENATICs
> Complejo Santos E2 - Gral. Santos 1170 c/ Concordia
> cert en cert.gov.py | +595 21 201014 | +595 21 3276902
> Asunción - Paraguay | www.cert.gov.py
>
>
>
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
>
--
Programa de Seguridad en TIC
Fundación Dr. Manuel Sadosky
Av. Córdoba 744 Piso 5 Oficina I
TE/FAX: 4328-5164
Más información sobre la lista de distribución Seguridad