CVE-2014-6271 & CVE-2014-7169 mitigation via mod_sec

[gaia]

Has this been added to mod_sec yet (via Redhat)?

Workaround: Using mod_security:
The following mod_security rules can be used to reject HTTP requests containing data that may be interpreted by Bash as function definition if set in its environment. They can be used to block attacks against web services, such as attacks against CGI applications outlined above.

Request Header values:

SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
SERVER_PROTOCOL values:

SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
GET/POST names:

SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
GET/POST values:

SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
File names for uploads:

SecRule FILES_NAMES "^\(\) {" "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

These may result in false positives but it's unlikely, and they can log them and keep an eye on it. You may also want to avoid logging as this could result in a significant amount of log files.

[Imaging]

See:

New Bash vulnerability in Security Alerts

https://www.atomicorp.com/forums/viewto ... =13&t=7799

[mikeshinn]

Thank you for the question.

But of course we got you covered! Rules we released yesterday for this and it covers both CVEs. See the forum link above for more details.

[faris]

I am somewhat worried that RH hasn't managed to provide a full patch yet. They are normally much quicker than this. I can only hope the initial patch does do at least some good for now (on non-ASL systems).