Now that a patch has been released (and re-released), IT administrators are finally able to come up for air after being shell shocked. Tripwire VERT has rapidly released comprehensive vulnerability coverage for Tripwire IP360 customers, in order to quickly identify what systems were vulnerable and required patching. We have also updated our free SecureScan tool with these rules, so anyone can scan their internal network for these vulnerabilities. Lastly, we’ve released a free Python script to help businesses and users detect if their systems are vulnerable to Shellshock.
Now that we know what systems are vulnerable and have started patching, it is now time to identify what systems may have been compromised. Tripwire has released updated content for Tripwire Log Center available now in the Tripwire Customer Center, which provides content for identifying exploit attempts made against Apache targeting Shellshock vulnerabilities (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169).
Unlike the Heartbleed vulnerability, which left no trace, malicious scanning and exploit attempts targeting these vulnerabilities will have left traces in log files:
Sample of log entry from attempted scan for Shellshock vulnerabilty
Now is the time for administrators to review these logs and correlate them with their vulnerability state to identify if the systems may have been compromised. Tripwire customers have an advantage with Tripwire Enterprise to further drill into those high-risk systems and identify what changes were made, ensuring they are in a trusted state.
Detecting Shellshock Exploit Attempts
In addition to detecting exploit attempts in your Apache logs, the Tripwire Log Center content pack for Shellshock also includes rules for Snort IDS. These rules allow for the detection of real-time attacks against your infrastructure targeting the Shellshock vulnerabilities. Once the rules are imported into Tripwire Log Center, they can be easily dropped in to create correlation rules for alerting and other actions.
Even if your systems are patched you may want to pass IDS detection data to your events of interest—other meta-data regarding the intrusion attempt may be useful in identifying other attacks through correlation with other networks and host-based indicators-of-compromise. Although the vulnerability has a patch available, there may be additional vulnerabilities discovered, so keep an eye on these exploit attempts and the assets they are targeting.
If you are a Tripwire Log Center customer please visit the Tripwire Customer Center for more information and to access the content download.
- Understanding ShellShock Attack Vectors
- How to Detect the ShellShock Bash Bug On Your Internal Network
- ShellShock: Custom Vulnerability Check for IP360
- Shell Shocked: Bash Bug Detection Tools
- VERT Alert: ShellShock – Crushing the Bash Bug
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed and Shellshock vulnerability.