Thursday, September 25, 2014

Bash Vulnerability Signatures

The newly announced Bash / Shellshock vulnerability is document in CVE2014-6271.

Here are IPS rules for immediate manual deployment. Fortinet has already generated
a new IPS signature, Bash.Function.Definitions.Remote.Code.Execution, which will be released in the next few hours after it has passed the QA testing process.

Fortigate firewalls do NOT use Bash and are not vulnerable to this exploit. The rules below can be used to filter traffic destined for devices protected by the firewall.

F-SBID( --name "Bash.Code.Execution.Custom1"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context uri; --pcre "/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/"; --context uri ; )
F-SBID( --name "Bash.Code.Execution.Custom2"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context header;)
F-SBID( --name "Bash.Code.Execution.Custom3"; --protocol tcp; --service HTTP; --flow from_client; --pattern "|28 29 20 7b 20|"; --context body; --pcre "/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/"; --context body ; )
F-SBID( --name "Bash.Code.Execution.Custom4"; --protocol tcp; --service HTTP; --flow from_client; --pattern "()"; --context header; --pattern ":|3b|"; --context header; --within 8; --pattern "}"; --context header; --within 8; --pcre "/(Cookie|Host|Referer):\s*\(\)\s*\{\s*:\x3b\s*\}\s*\x3b/i"; --context header; --distance -32; --within 128; )

No comments: