Workaround: Using mod_security:
The following mod_security rules can be used to reject HTTP requests containing data that may be interpreted by Bash as function definition if set in its environment. They can be used to block attacks against web services, such as attacks against CGI applications outlined above.
Request Header values:
SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
SERVER_PROTOCOL values:
SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
GET/POST names:
SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
GET/POST values:
SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
File names for uploads:
SecRule FILES_NAMES "^\(\) {" "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
These may result in false positives but it's unlikely, and they can log them and keep an eye on it. You may also want to avoid logging as this could result in a significant amount of log files.
CVE-2014-6271 & CVE-2014-7169 mitigation via mod_sec
CVE-2014-6271 & CVE-2014-7169 mitigation via mod_sec
Has this been added to mod_sec yet (via Redhat)?
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
Re: CVE-2014-6271 & CVE-2014-7169 mitigation via mod_sec
See:
New Bash vulnerability in Security Alerts
https://www.atomicorp.com/forums/viewto ... =13&t=7799
New Bash vulnerability in Security Alerts
https://www.atomicorp.com/forums/viewto ... =13&t=7799
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: CVE-2014-6271 & CVE-2014-7169 mitigation via mod_sec
Thank you for the question.
But of course we got you covered! Rules we released yesterday for this and it covers both CVEs. See the forum link above for more details.
But of course we got you covered! Rules we released yesterday for this and it covers both CVEs. See the forum link above for more details.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: CVE-2014-6271 & CVE-2014-7169 mitigation via mod_sec
I am somewhat worried that RH hasn't managed to provide a full patch yet. They are normally much quicker than this. I can only hope the initial patch does do at least some good for now (on non-ASL systems).
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>