Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Six key defenses against Shellshock attacks

Antone Gonsalves | Oct. 1, 2014
Experts from the SANS Institute offer advice of defending against Shellshock attacks.

The number of attempts by hackers to compromise computers through the Shellshock vulnerability is rising, but companies have options for defending against attackers.

Shellshock is the name given to a set of at least six vulnerabilities in GNU Bash, the default command shell found in Linux, Unix and Mac OS X. The flaws in Bash, which stand for Bourne Again SHell, include CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278.

Security vendor Cloudflare reported Monday that it has counted more 1.5 million distributed-denial-of-service attacks against the Shellshock flaw daily on its network.

Web application firewall vendor Incapsula reported Monday that over the four days since Shellshock was made public Sept. 25, it has deflected more than 217,000 exploit attempts on over 4,115 domains. Incapsula has documented attacks originating from more than 890 IP addresses worldwide.

So, what should companies do to defend against attackers? Experts from the SANS Institute, which provides data, network and cyber security training, offer the following advice:

--Use multiple scripts. Paul Henry, a senior instructor at SANS, found he needed multiple scripts in order to test for the half-dozen flaws. He found that the scripts released by vendors for their products were not enough.

"They (the scripts) are simply not tight enough. You're missing machines," Henry said. "People need to be really careful and thorough in their scanning. Think it through."

Fortunately, vulnerability-scanning tools include scripts to test for the various flavors of the Bash vulnerability, so companies should make sure they have all available scripts before testing.

--Test using DHCP. One way to exploit the flaw is through a dynamic host configuration protocol (DHCP) message carrying an exploit string.

"You can essentially exploit your own systems by sending an exploit string, like for example a ping, from a DHCP server," Johannes Ullrich, director of the SANS Internet Storm Center, said. "If a system in your network is vulnerable, it will ping the DHCP server that you've set up."

--Apply vendor-supplied rules. Firewalls and intrusion detection and prevention systems need to be updated with the latest rules to block attacks targeted at Bash flaws. Cisco-owned Sourcefire, Juniper Networks, IBM and F5 Networks are among the vendors who have released updates.

Companies that use the popular open-source Bro or Snort intrusion prevention systems (IPS) should install the latest rule set available from the respective community sites.

"The rules out there are pretty good in the sense that they're unlikely to miss a lot of exploit attempts," Ullrich said. "The only problem will be false positives."

--Install the latest patches. Many patches sent by vendors are functional, but incomplete. Nevertheless, companies have been advised to apply what is available. Patching once and then forgetting about the problem won't solve this bug. Instead, system administrators will need to stay on top of vendor-provided patches to update the fixes already in place.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.