Thursday, September 25, 2014

More Shellshock Info


FortiGuard Advisory with status of affected products

FortiGuard Shellshock Blog Post

Bash Vulnerability Signatures

The newly announced Bash / Shellshock vulnerability is document in CVE2014-6271.

Here are IPS rules for immediate manual deployment. Fortinet has already generated
a new IPS signature, Bash.Function.Definitions.Remote.Code.Execution, which will be released in the next few hours after it has passed the QA testing process.

Fortigate firewalls do NOT use Bash and are not vulnerable to this exploit. The rules below can be used to filter traffic destined for devices protected by the firewall.

F-SBID( --name "Bash.Code.Execution.Custom1"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context uri; --pcre "/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/"; --context uri ; )
F-SBID( --name "Bash.Code.Execution.Custom2"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context header;)
F-SBID( --name "Bash.Code.Execution.Custom3"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context body; --pcre "/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/"; --context body ; )
F-SBID( --name "Bash.Code.Execution.Custom4"; --protocol tcp; --service HTTP; --flow from_client; --pattern "()"; --context header; --pattern ":|3b|"; --context header; --within 8; --pattern "}"; --context header; --within 8; --pcre "/(Cookie|Host|Referer):\s*\(\)\s*\{\s*:\x3b\s*\}\s*\x3b/i"; --context header; --distance -32; --within 128; )

Monday, September 15, 2014

Switching interface modes

By default smaller Fortigate units such as the 60D or 90D series combine their interfaces into a virtual switch. Via a configuration change all ports can be assigned to their own broadcast domains. This is useful for example if you want to configure a number of different trunk ports.

By default the firewalls are also configured with basic policies that permit and NAT outbound traffic as well as a DHCP server. These configurations need to be cleared before the switch mode can be changed.

#config firewall policy
#purge

This operation will clear all table!
Do you want to continue? (y/n) y

#end
#config system dhcp server
#purge

This operation will clear all table!
Do you want to continue? (y/n) y

#end
#config system global
#set internal-switch-mode interface
#end


Changing switch mode will reboot the system!
Do you want to continue? (y/n) y