[LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)

Programa STIC stic en fundacionsadosky.org.ar
Dom Sep 28 12:02:11 BRT 2014


Hola Herman

podrías dar detalles sobre la "bot" que se esta expandiendo?

Como explota la vulnerabilidad (que comandos corre), cuantos ataques
vieron y en que lapso de tiempo, de cuantos orígenes distintos, etc.


saludos,
-ivan


El 26/09/14 13:43, Herman Mereles escribió:
> Estimados,
> 
> Eso es solo a efectos de verificar que un sistema es vulnerable.
> Es importante aclarar que ahora estamos detectando una "barrida"
> buscando sitios vulnerables y, en algunos casos, ya detectamos la
> expansión de una bot aprovechando la vulnerabilidad.
> 
> Saludos
> ---
> El 26/09/14 09:31, Oswaldo Aguirre escribió:
>> ciertamente, pero me imagino que, al no haber ninguna
>> variable o patron que pueda ser instanciado, no hace mucha
>> diferencia, yo usaria simples, en eso concuerdo.
>>
>> en una de las referencias
>> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>> usan las simples
>>
>> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>>
>> saludos
>>
>>
>> On Fri, Sep 26, 2014 at 5:33 AM, Jose Luis Gaspoz <gaspozj en is.com.ar
>> <mailto:gaspozj en is.com.ar>> wrote:
>>
>>     Hernán:
>>      
>>     ¿no están mal el tipo de comillas en la primera parte del codigo
>>     del seteo de la variable? .... deberian ser comillas simples y no
>>     dobles.
>>      
>>     Saludos
>>      
>>     Ing. Jose Luis Gaspoz
>>     Internet Services S.A.
>>     Tel: 0342-4565118
>>     Cel: 342-5008523
>>      
>>     *From:* Herman Mereles <mailto:hmereles en senatics.gov.py>
>>     *Sent:* Thursday, September 25, 2014 5:32 PM
>>     *To:* Lista para discusion de seguridad en redes y sistemas
>>     informaticos de la region <mailto:seguridad en lacnic.net>
>>     *Subject:* Re: [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again
>>     Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>      
>>     Raúl, compañeros,
>>
>>     Este es un boletín que nosotros hemos redactado,
>>
>>     Saludos
>>     ---
>>     El 25/09/14 a las 16:19, Raul Cabrera escibió:
>>>
>>>     Del Blog Schneier on Security:
>>>
>>>      
>>>
>>>     *“Nasty Vulnerability found in Bash”
>>>     (*https://www.schneier.com/blog/archives/2014/09/nasty_vulnerabi.html*)*
>>>
>>>      
>>>
>>>     Saludos cordiales.
>>>
>>>      
>>>
>>>      
>>>
>>>     RAUL EDUARDO CABRERA
>>>
>>>      
>>>
>>>      
>>>
>>>     *De:*Seguridad [mailto:seguridad-bounces en lacnic.net] *En nombre
>>>     de *Fernando Gont
>>>     *Enviado el:* jueves, 25 de septiembre de 2014 04:51 p.m.
>>>     *Para:* Lista para discusión de seguridad en redes y sistemas
>>>     informaticos de la región
>>>     *Asunto:* [LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again
>>>     Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>>
>>>      
>>>
>>>     FYI
>>>
>>>
>>>
>>>     -------- Forwarded Message --------
>>>
>>>     *Subject: *
>>>
>>>     	
>>>
>>>     TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>>>     Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>>
>>>     *Date: *
>>>
>>>     	
>>>
>>>     Thu, 25 Sep 2014 14:10:57 -0500
>>>
>>>     *From: *
>>>
>>>     	
>>>
>>>     US-CERT mailto:US-CERT en ncas.us-cert.gov
>>>
>>>     *Reply-To: *
>>>
>>>     	
>>>
>>>     US-CERT en ncas.us-cert.gov <mailto:US-CERT en ncas.us-cert.gov>
>>>
>>>     *To: *
>>>
>>>     	
>>>
>>>     fernando en gont.com.ar <mailto:fernando en gont.com.ar>
>>>
>>>      
>>>
>>>     NCCIC / US-CERT
>>>
>>>     National Cyber Awareness System:
>>>
>>>     *TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
>>>     Vulnerability (CVE-2014-6271,CVE-2014-7169)
>>>     <https://www.us-cert.gov/ncas/alerts/TA14-268A>*
>>>
>>>     /09/25/2014 12:56 PM EDT/
>>>
>>>      
>>>
>>>     Original release date: September 25, 2014
>>>
>>>
>>>           Systems Affected
>>>
>>>       * GNU Bash through 4.3.
>>>       * Linux, BSD, and UNIX distributions including but not limited to:
>>>
>>>           o CentOS
>>>             <http://lists.centos.org/pipermail/centos/2014-September/146099.html>
>>>             5 through 7
>>>           o Debian
>>>             <https://lists.debian.org/debian-security-announce/2014/msg00220.html>
>>>
>>>           o Mac OS X
>>>           o Red Hat Enterprise Linux 4 through 7
>>>           o Ubuntu <http://www.ubuntu.com/usn/usn-2362-1/> 10.04 LTS,
>>>             12.04 LTS, and 14.04 LTS
>>>
>>>
>>>           Overview
>>>
>>>     A critical vulnerability has been reported in the GNU Bourne
>>>     Again Shell (Bash), the common command-line shell used in most
>>>     Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could
>>>     allow an attacker to remotely execute shell commands by attaching
>>>     malicious code in environment variables used by the operating
>>>     system [1]
>>>     <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>.
>>>     The United States Department of Homeland Security (DHS) is
>>>     releasing this Technical Alert to provide further information
>>>     about the GNU Bash vulnerability.
>>>
>>>
>>>           Description
>>>
>>>     GNU Bash versions 1.14 through 4.3 contain a flaw that processes
>>>     commands placed after function definitions in the added
>>>     environment variable, allowing remote attackers to execute
>>>     arbitrary code via a crafted environment which enables
>>>     network-based exploitation. [2
>>>     <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>,
>>>     3 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>]
>>>
>>>     Critical instances where the vulnerability may be exposed
>>>     include: [4
>>>     <https://access.redhat.com/security/cve/CVE-2014-6271>, 5
>>>     <http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>]
>>>
>>>       * Apache HTTP Server using mod_cgi or mod_cgid scripts either
>>>         written in bash, or spawn subshells.
>>>       * Override or Bypass ForceCommand feature in OpenSSH sshd and
>>>         limited protection for some Git and Subversion deployments
>>>         used to restrict shells and allows arbitrary command
>>>         execution capabilities.
>>>       * Allow arbitrary commands to run on a DHCP client machine,
>>>         various Daemons and SUID/privileged programs.
>>>       * Exploit servers and other Unix and Linux devices via Web
>>>         requests, secure shell, telnet sessions, or other programs
>>>         that use Bash to execute scripts.
>>>
>>>
>>>           Impact
>>>
>>>     This vulnerability is classified by industry standards as “High”
>>>     impact with CVSS Impact Subscore 10 and “Low” on complexity,
>>>     which means it takes little skill to perform. This flaw allows
>>>     attackers to provide specially crafted environment variables
>>>     containing arbitrary commands that can be executed on vulnerable
>>>     systems. It is especially dangerous because of the prevalent use
>>>     of the Bash shell and its ability to be called by an application
>>>     in numerous ways.
>>>
>>>
>>>           Solution
>>>
>>>     Patches have been released to fix this vulnerability by major
>>>     Linux vendors for affected versions. Solutions for CVE-2014-6271
>>>     do not completely resolve the vulnerability. It is advised to
>>>     install existing patches and pay attention for updated patches to
>>>     address CVE-2014-7169.
>>>
>>>     Many UNIX-like operating systems, including Linux distributions,
>>>     BSD variants, and Apple Mac OS X include Bash and are likely to
>>>     be affected. Contact your vendor for updated information. A list
>>>     of vendors can be found in CERT Vulnerability Note VU#252743
>>>     <http://www.kb.cert.org/vuls/id/252743> [6]
>>>     <http://www.kb.cert.org/vuls/id/252743>.
>>>
>>>     US-CERT recommends system administrators review the vendor
>>>     patches and the NIST Vulnerability Summary for CVE-2014-7169
>>>     <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>,
>>>     to mitigate damage caused by the exploit.
>>>
>>>
>>>           References
>>>
>>>       * Ars Technica, Bug in Bash shell creates big security hole on
>>>         anything with *nix in it;
>>>         <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>>>
>>>       * DHS NCSD; Vulnerability Summary for CVE-2014-6271
>>>         <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
>>>       * DHS NCSD; Vulnerability Summary for CVE-2014-7169
>>>         <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>
>>>       * Red Hat, CVE-2014-6271
>>>         <https://access.redhat.com/security/cve/CVE-2014-6271>
>>>       * Red Hat, Bash specially-crafted environment variables code
>>>         injection attack
>>>         <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
>>>
>>>       * CERT Vulnerability Note VU#252743
>>>         <http://www.kb.cert.org/vuls/id/252743>
>>>
>>>
>>>           Revision History
>>>
>>>       * September 25, 2014 - Initial Release
>>>
>>>     ------------------------------------------------------------------------
>>>
>>>     This product is provided subject to this Notification
>>>     <http://www.us-cert.gov/privacy/notification> and this Privacy &
>>>     Use <http://www.us-cert.gov/privacy/> policy.
>>>
>>>     ------------------------------------------------------------------------
>>>
>>>     OTHER RESOURCES:
>>>
>>>     Contact Us <http://www.us-cert.gov/contact-us/> | Security
>>>     Publications <http://www.us-cert.gov/security-publications> |
>>>     Alerts and Tips <http://www.us-cert.gov/ncas> | Related Resources
>>>     <http://www.us-cert.gov/related-resources>
>>>
>>>      
>>>
>>>     STAY CONNECTED:
>>>
>>>     Sign up for email updates
>>>     <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>>>
>>>     	
>>>     	
>>>     	
>>>     	
>>>     	
>>>     	
>>>
>>>     SUBSCRIBER SERVICES:
>>>     Manage Preferences
>>>     <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true> 
>>>     |  Unsubscribe
>>>     <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.3401fc02ac14ed36b08029852a939882&destination=fernando@gont.com.ar> 
>>>     |  Help <https://subscriberhelp.govdelivery.com/>
>>>
>>>     ------------------------------------------------------------------------
>>>
>>>     This email was sent to fernando en gont.com.ar
>>>     <mailto:fernando en gont.com.ar> using GovDelivery, on behalf of:
>>>     United States Computer Emergency Readiness Team (US-CERT) · 245
>>>     Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110
>>>     <tel:%28703%29%20235-5110>
>>>
>>>     	
>>>
>>>     Powered by GovDelivery
>>>     <http://www.govdelivery.com/portals/powered-by>
>>>
>>>
>>>
>>>     -- 
>>>     Fernando Gont
>>>     e-mail: fernando en gont.com.ar <mailto:fernando en gont.com.ar> || fgont en si6networks.com <mailto:fgont en si6networks.com>
>>>     PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>>>      
>>>      
>>>      
>>>
>>>      
>>>
>>>      
>>>
>>>
>>>     ------------------------------------------------------------------------
>>>
>>>     La información contenida en esta comunicación se dirige
>>>     exclusivamente para el uso de la persona o entidad a quien va
>>>     dirigida y otros autorizados para recibirlo. Puede contener
>>>     información confidencial o legalmente protegida. Si usted no es
>>>     el destinatario indicado, queda notificado de que cualquier
>>>     revelación, copia, distribución o tomar cualquier acción basada
>>>     en el contenido de esta información está estrictamente prohibida
>>>     y puede ser ilegal. Si usted ha recibido esta comunicación por
>>>     error, le rogamos nos lo notifique inmediatamente respondiendo a
>>>     este correo y elimine de su sistema. SADAIC no es responsable de
>>>     la transmisión correcta y completa de la información contenida en
>>>     esta comunicación, ni por cualquier retraso en su recepción.
>>>
>>>     The information contained in this communication is intended
>>>     solely for the use of the individual or entity to whom it is
>>>     addressed and others authorized to receive it. It may contain
>>>     confidential or legally privileged information. If you are not
>>>     the intended recipient you are hereby notified that any
>>>     disclosure, copying, distribution or taking any action in
>>>     reliance on the contents of this information is strictly
>>>     prohibited and may be unlawful. If you have received this
>>>     communication in error, please notify us immediately by
>>>     responding to this email and then delete it from your system.
>>>     SADAIC is neither liable for the proper and complete transmission
>>>     of the information contained in this communication nor for any
>>>     delay in its receipt.
>>>
>>>
>>>
>>>     _______________________________________________
>>>     Seguridad mailing list
>>>     Seguridad en lacnic.net <mailto:Seguridad en lacnic.net>
>>>     https://mail.lacnic.net/mailman/listinfo/seguridad
>>
>>     ------------------------------------------------------------------------
>>     _______________________________________________
>>     Seguridad mailing list
>>     Seguridad en lacnic.net <mailto:Seguridad en lacnic.net>
>>     https://mail.lacnic.net/mailman/listinfo/seguridad
>>
>>     _______________________________________________
>>     Seguridad mailing list
>>     Seguridad en lacnic.net <mailto:Seguridad en lacnic.net>
>>     https://mail.lacnic.net/mailman/listinfo/seguridad
>>
>>
>>
>>
>> -- 
>> -----------------------------------------------------------------------------------------------------------------
>> Campaña contra el correo SPAM
>> - Solo envia el contenido importante
>> - Protege y respeta la privacidad de tus amigos.  
>> - Si reenvias este correo, borra las direcciones anteriores  
>> - Si lo reenvias a varias personas usa la casilla CCO .
>> - Si todos hacemos lo mismo, tambien tu estaras protegid en .
>> -----------------------------------------------------------------------------------------------------------------
>> - Send only the important text 
>> - Protect and respect your friends' privacy
>> - Delete previous addresses from message body
>> - Use the BCC field when sending to several recipients
>> - If we all follow these guidelines, we'll all be protected.
>>
>>
>> _______________________________________________
>> Seguridad mailing list
>> Seguridad en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/seguridad
> 
> 
> -- 
> Herman Mereles, Director
> Equipo de Respuesta ante Emergencias Cibernéticas (CERT-PY)
> Secretaría Nacional de Tecnologías de la Información y Comunicación
> SENATICs
> Complejo Santos E2 - Gral. Santos 1170 c/ Concordia 
> cert en cert.gov.py | +595 21 201014 | +595 21 3276902
> Asunción - Paraguay | www.cert.gov.py
> 
> 
> 
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
> 


-- 
Programa de Seguridad en TIC
Fundación Dr. Manuel Sadosky
Av. Córdoba 744 Piso 5 Oficina I
TE/FAX: 4328-5164



Más información sobre la lista de distribución Seguridad