SlideShare a Scribd company logo

The bash vulnerability practical tips to secure your environment

Download as PPTX, PDF
AlienVault, profile picture
AlienVault

The document discusses the Bash vulnerability allowing attackers to inject malicious code via environment variables, especially affecting mid-sized businesses with web applications. It outlines the importance of patching servers, sanitizing inputs, and disabling elevated privileges calls to Bash to defend against this threat. Additionally, it provides testing methods for vulnerability detection and recommendations for using AlienVault's USM for monitoring and protection.

Technology
1 of 17
Downloaded 37 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
The bash vulnerability practical tips to secure your environment
@AlienVault About AlienVault AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against today’s modern threats
@AlienVault Agenda What is the bash vulnerability? Practical tips to minimize your exposure to attack Insights on how attackers are exploiting this vulnerability (with Jaime Blasco, AlienVault Labs Director) How AlienVault USM can detect the bash vulnerability, and alert you of active attacks (Demo with victor Obando, systems engineer)
Allows an attacker to inject malicious code inline with a shell command following the definition of an environmental variable curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/ @AlienVault What Is The Bash Vulnerability? Prior to fixing this vulnerability, variables starting with “() { :; };” were treated as executable commands rather than text strings. In the case of a http header (something an attacker controls), this vulnerability can be used to compromise the variable definition in the web server itself HTTP_USER_AGENT=() { :; }; /bin/eject
@AlienVault Am I Vulnerable? Do you have externally facing *nix (Unix, Linux, Mac OS, etc) servers that utilize the bash shell? Do you have web applications making calls to the bash shell on these servers with elevated privileges? Have you neglected to apply your OS vendor’s patch that addresses this vulnerability? If the answer is YES to any of the questions above, you could be vulnerable…
Non-Server Vulnerabilities Devices with embedded Linux could potentially be running unpatched bash that is either not supported (patch will not be released) or near impossible to upgrade. @AlienVault • Routers • Switches • Firewalls • Other Network Appliances
@AlienVault How To Test If You Are Vulnerable In the bash shell, enter the following command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
@AlienVault If Your Test Returns This… …Then You’re Not Vulnerable
@AlienVault However, If You See This… …Then You Might Be In Trouble
How Do I Defend Myself? Patch your servers • Really, this is the easiest, most effective, and the only real way to “fix” this @AlienVault vulnerability • Supported Ubuntu/Debian (apt-get) - sudo apt-get update && sudo apt-get install --only-upgrade bash • Supported CentOS / RedHat / Fedora - sudo yum update bash • Apple OS X - Patch update available from the Apple support site. • For unsupported operating systems, you will have to update to a supported version first, then apply the patch.
@AlienVault How Do I Defend Myself? Sanitize your web application’s inputs • Related to defense against Cross-Site Scripting and SQL injection attacks, make sure that inputs are validated and sanitized. Disable any calls to bash under elevated privileges • Obviously disable any CGIs that make call to the shell Use another shell?? • Probably not the best idea, especially since commands in bash may not translate to other shells
@AlienVault Attack Vectors Attackers are exploiting the vulnerability using the following protocols: - HTTP Headers - DHCP - SIP - Mail (Ex: Qmail, Postfix) - OpenVPN - FTP (Ex: Pure-FTPd) - DNS
@AlienVault Post exploitation Once the attackers find a way to exploit the vulnerability they download and execute a payload, example: - The malware is a Linux ELF executable that makes the infected system join a bonet. It has the following capabilities: - PING - GETLOCALIP - SCANNER - HOLD - JUNK (DoS Flood) - UDP (DoS Flood) - TCP (DoS Flood) - KILLATTK
@AlienVault Spotting Shellshock in USM Malicious Sources added to OTX Threat intelligence • Multiple IDS Signatures Including: 2019231 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI 2019232 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers 2019233 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in ClientBody 2019234 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2 2019236 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number 2019237 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 15 2019238 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67 Correlation Directives to Detect and Alarm: Exploitation & Installation, Service Exploit, Bash - CVE-2014-6271 Reconnaissance & Probing, Service Exploit, Bash - CVE-2014-6271
Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Security Intelligence • SIEM Event Correlation • Incident Response @AlienVault
@AlienVault DEMO TIME!
More Questions? Email Hello@alienvault.com NOW FOR SOME Q&A… Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Product Sandbox http://www.alienvault.com/live-demo-site

More Related Content

PDF
Shellshock bug
Raashid Muhammed
 
PDF
Getting root with benign app store apps
Csaba Fitzl
 
PPTX
[Wroclaw #7] Security test automation
OWASP
 
PDF
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
PDF
Open Source Incidents
Cybera Inc.
 
PDF
[Wroclaw #7] Why So Serial?
OWASP
 
PPTX
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
PDF
Continuous Security: From tins to containers - now what!
Michael Man
 
Shellshock bug
Raashid Muhammed
 
Getting root with benign app store apps
Csaba Fitzl
 
[Wroclaw #7] Security test automation
OWASP
 
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Open Source Incidents
Cybera Inc.
 
[Wroclaw #7] Why So Serial?
OWASP
 
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 
Continuous Security: From tins to containers - now what!
Michael Man
 

What's hot (8)

PPTX
Detecting virtual machine co residency in cloud computing with active traffic...
James A. Savage
 
PDF
CyberSEED: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
PDF
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
PPT
[HackInTheBox] Breaking virtualization by any means
Moabi.com
 
PDF
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 
PDF
How to convince a malware to avoid us
Csaba Fitzl
 
PDF
Metasploit primary
n|u - The Open Security Community
 
PDF
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON
 
Detecting virtual machine co residency in cloud computing with active traffic...
James A. Savage
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
[HackInTheBox] Breaking virtualization by any means
Moabi.com
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 
How to convince a malware to avoid us
Csaba Fitzl
 
Metasploit primary
n|u - The Open Security Community
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON
 
Ad

Similar to The bash vulnerability practical tips to secure your environment (20)

PDF
Shellshock - A Software Bug
vwchu
 
PDF
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
PDF
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
PPTX
The Veil-Framework
VeilFramework
 
PDF
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Akmal Hisyam
 
PDF
Breaking av software
Joxean Koret
 
PDF
Breaking av software
Thomas Pollet
 
PDF
Breaking Antivirus Software
rahmanprojectd
 
PPTX
Testing Terraform
Nathen Harvey
 
PPT
AntiRE en Masse
Kurt Baumgartner
 
PDF
Secure Programming And Common Errors[Michele Orru Dec 2008]
Michele Orru'
 
PPTX
Node.js kubernetes-cloud all the buzzwords coming together with microsoft azure
Patriek van Dorp
 
PDF
Commix Detecting And Exploiting.pdf
ssuser387cf0
 
PPTX
BH Arsenal '14 TurboTalk: The Veil-framework
VeilFramework
 
PPTX
July Patch Tuesday 2019
Ivanti
 
PDF
Ceh v5 module 11 hacking webservers
Vi Tính Hoàng Nam
 
PDF
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
Andrey Karpov
 
PPTX
Travis CI - PHP
Adam Englander
 
PDF
Serverless security: defense against the dark arts
Yan Cui
 
PPT
Zerovm backgroud
UT, San Antonio
 
Shellshock - A Software Bug
vwchu
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
The Veil-Framework
VeilFramework
 
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Akmal Hisyam
 
Breaking av software
Joxean Koret
 
Breaking av software
Thomas Pollet
 
Breaking Antivirus Software
rahmanprojectd
 
Testing Terraform
Nathen Harvey
 
AntiRE en Masse
Kurt Baumgartner
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
Michele Orru'
 
Node.js kubernetes-cloud all the buzzwords coming together with microsoft azure
Patriek van Dorp
 
Commix Detecting And Exploiting.pdf
ssuser387cf0
 
BH Arsenal '14 TurboTalk: The Veil-framework
VeilFramework
 
July Patch Tuesday 2019
Ivanti
 
Ceh v5 module 11 hacking webservers
Vi Tính Hoàng Nam
 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
Andrey Karpov
 
Travis CI - PHP
Adam Englander
 
Serverless security: defense against the dark arts
Yan Cui
 
Zerovm backgroud
UT, San Antonio
 
Ad

More from AlienVault (20)

PPTX
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
PDF
Malware Invaders - Is Your OS at Risk?
AlienVault
 
PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
PPTX
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
PDF
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
PDF
Insider Threat Detection Recommendations
AlienVault
 
PPTX
Alienvault threat alerts in spiceworks
AlienVault
 
PDF
Open Source IDS Tools: A Beginner's Guide
AlienVault
 
PPTX
Malware detection how to spot infections early with alien vault usm
AlienVault
 
PDF
Security operations center 5 security controls
AlienVault
 
PDF
PCI DSS Implementation: A Five Step Guide
AlienVault
 
PPTX
Improve threat detection with hids and alien vault usm
AlienVault
 
PDF
The State of Incident Response - INFOGRAPHIC
AlienVault
 
PPTX
Incident response live demo slides final
AlienVault
 
PPTX
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
PPTX
Improve Security Visibility with AlienVault USM Correlation Directives
AlienVault
 
PPTX
How Malware Works
AlienVault
 
PPTX
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
PPTX
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
PPTX
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Malware Invaders - Is Your OS at Risk?
AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Insider Threat Detection Recommendations
AlienVault
 
Alienvault threat alerts in spiceworks
AlienVault
 
Open Source IDS Tools: A Beginner's Guide
AlienVault
 
Malware detection how to spot infections early with alien vault usm
AlienVault
 
Security operations center 5 security controls
AlienVault
 
PCI DSS Implementation: A Five Step Guide
AlienVault
 
Improve threat detection with hids and alien vault usm
AlienVault
 
The State of Incident Response - INFOGRAPHIC
AlienVault
 
Incident response live demo slides final
AlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
AlienVault
 
How Malware Works
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Teaching material agriculture food technology
LiaRayya
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Approach and Philosophy of On baking technology
30anthuong17
 
Encapsulation theory and applications.pdf
gurumoop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 

The bash vulnerability practical tips to secure your environment

  • 2. @AlienVault About AlienVault AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against today’s modern threats
  • 3. @AlienVault Agenda What is the bash vulnerability? Practical tips to minimize your exposure to attack Insights on how attackers are exploiting this vulnerability (with Jaime Blasco, AlienVault Labs Director) How AlienVault USM can detect the bash vulnerability, and alert you of active attacks (Demo with victor Obando, systems engineer)
  • 4. Allows an attacker to inject malicious code inline with a shell command following the definition of an environmental variable curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/ @AlienVault What Is The Bash Vulnerability? Prior to fixing this vulnerability, variables starting with “() { :; };” were treated as executable commands rather than text strings. In the case of a http header (something an attacker controls), this vulnerability can be used to compromise the variable definition in the web server itself HTTP_USER_AGENT=() { :; }; /bin/eject
  • 5. @AlienVault Am I Vulnerable? Do you have externally facing *nix (Unix, Linux, Mac OS, etc) servers that utilize the bash shell? Do you have web applications making calls to the bash shell on these servers with elevated privileges? Have you neglected to apply your OS vendor’s patch that addresses this vulnerability? If the answer is YES to any of the questions above, you could be vulnerable…
  • 6. Non-Server Vulnerabilities Devices with embedded Linux could potentially be running unpatched bash that is either not supported (patch will not be released) or near impossible to upgrade. @AlienVault • Routers • Switches • Firewalls • Other Network Appliances
  • 7. @AlienVault How To Test If You Are Vulnerable In the bash shell, enter the following command: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  • 8. @AlienVault If Your Test Returns This… …Then You’re Not Vulnerable
  • 9. @AlienVault However, If You See This… …Then You Might Be In Trouble
  • 10. How Do I Defend Myself? Patch your servers • Really, this is the easiest, most effective, and the only real way to “fix” this @AlienVault vulnerability • Supported Ubuntu/Debian (apt-get) - sudo apt-get update && sudo apt-get install --only-upgrade bash • Supported CentOS / RedHat / Fedora - sudo yum update bash • Apple OS X - Patch update available from the Apple support site. • For unsupported operating systems, you will have to update to a supported version first, then apply the patch.
  • 11. @AlienVault How Do I Defend Myself? Sanitize your web application’s inputs • Related to defense against Cross-Site Scripting and SQL injection attacks, make sure that inputs are validated and sanitized. Disable any calls to bash under elevated privileges • Obviously disable any CGIs that make call to the shell Use another shell?? • Probably not the best idea, especially since commands in bash may not translate to other shells
  • 12. @AlienVault Attack Vectors Attackers are exploiting the vulnerability using the following protocols: - HTTP Headers - DHCP - SIP - Mail (Ex: Qmail, Postfix) - OpenVPN - FTP (Ex: Pure-FTPd) - DNS
  • 13. @AlienVault Post exploitation Once the attackers find a way to exploit the vulnerability they download and execute a payload, example: - The malware is a Linux ELF executable that makes the infected system join a bonet. It has the following capabilities: - PING - GETLOCALIP - SCANNER - HOLD - JUNK (DoS Flood) - UDP (DoS Flood) - TCP (DoS Flood) - KILLATTK
  • 14. @AlienVault Spotting Shellshock in USM Malicious Sources added to OTX Threat intelligence • Multiple IDS Signatures Including: 2019231 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI 2019232 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers 2019233 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in ClientBody 2019234 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2 2019236 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number 2019237 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 15 2019238 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67 Correlation Directives to Detect and Alarm: Exploitation & Installation, Service Exploit, Bash - CVE-2014-6271 Reconnaissance & Probing, Service Exploit, Bash - CVE-2014-6271
  • 15. Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Security Intelligence • SIEM Event Correlation • Incident Response @AlienVault
  • 17. More Questions? Email Hello@alienvault.com NOW FOR SOME Q&A… Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Product Sandbox http://www.alienvault.com/live-demo-site

Editor's Notes

  • #2: Welcome, thanks for joining – My name is Garrett Gross, Sr Tech PMM @ AlienVault. We wanted to take some time to talk about the recent bash shell exploit (known as “shellshock”). Understandably, there is a lot of confusion surrounding the shellshock vulnerability, how attackers are exploiting this vulnerability, and how to protect yourself against it. But first – I’d like to tell you a bit about AlienVault.
  • #3: AlienVault is a security software company based out of San Mateo, CA with offices here in Austin, TX; Granada and Madrid, Spain; and Cork, Ireland. We offer a Unified Security Management platform with the detection tools and supporting threat intelligence that you need to best defend against today’s attackers.
  • #5: Afterwards, turn over to Jaime