Now that a patch has been released (and re-released), IT administrators are finally able to come up for air after being shell shocked. Tripwire VERT has rapidly released comprehensive vulnerability coverage for Tripwire IP360 customers, in order to quickly identify what systems were vulnerable and required patching. Lastly, we’ve released a free Python script to help businesses and users detect if their systems are vulnerable to Shellshock.
Now that we know what systems are vulnerable and have started patching, it is now time to identify what systems may have been compromised. Tripwire has released updated content for Tripwire Log Center available now in the Tripwire Customer Center, which provides content for identifying exploit attempts made against Apache targeting Shellshock vulnerabilities (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169).
Unlike the Heartbleed vulnerability, which left no trace, malicious scanning and exploit attempts targeting these vulnerabilities will have left traces in log files:
Sample of log entry from attempted scan for Shellshock vulnerabilty
Now is the time for administrators to review these logs and correlate them with their vulnerability state to identify if the systems may have been compromised. Tripwire customers have an advantage with Tripwire Enterprise to further drill into those high-risk systems and identify what changes were made, ensuring they are in a trusted state.
Detecting Shellshock Exploit Attempts
In addition to detecting exploit attempts in your Apache logs, the Tripwire Log Center content pack for Shellshock also includes rules for Snort IDS. These rules allow for the detection of real-time attacks against your infrastructure targeting the Shellshock vulnerabilities. Once the rules are imported into Tripwire Log Center, they can be easily dropped in to create correlation rules for alerting and other actions.
Even if your systems are patched you may want to pass IDS detection data to your events of interest—other meta-data regarding the intrusion attempt may be useful in identifying other attacks through correlation with other networks and host-based indicators-of-compromise. Although the vulnerability has a patch available, there may be additional vulnerabilities discovered, so keep an eye on these exploit attempts and the assets they are targeting.
If you are a Tripwire Log Center customer please visit the Tripwire Customer Center for more information and to access the content download.