Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Bit9 + Carbon Black Update on the Bash Bug “Shell Shock”

Bit9 + Carbon Black Update on the Bash Bug Shell Shock spiders
rico_valdez
September 30, 2014 / Rico Valdez

September 30, 2014 Update:

“We wanted to give an update on this issue. It appears that Florian Weimer has written a patch that effectively closes the hole found in Bash, as well as those that remained after the initial patch (and even a subsequent one).

The patch submitted by Florian has been confirmed effective by Michal Zalewski, a well-regarded Google security researcher, so application of the patch should effectively resolve the issue.

The patch was adopted upstream by the Bash project maintainer, and should make its way to all the relevant distros if it hasn’t already. Red Hat and CentOS appear to have adopted this patch, so it can be applied on those platforms via the usual mechanisms.

We have confirmed that the patch is compatible with all of our products, and does not introduce any issues.

As an aside, Apple today has also released patches for this issue on OSX, so it’s time to make sure all your OSX systems get the patch applied as well.

Again, it’s likely there are still lots of other devices that may have exposure to this bug (think of all the embedded Linux out there), so remain vigilant, and get those systems patched as quickly as possible!”

ORIGINAL POST:

It’s been a crazy 24 hours. On the heels of a vulnerability report and subsequent patch for the Bash bug comes confirmation that the patch does not fully address the issue.

The CVEs of interest are:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

There are reports that this is already being exploited in the wild, and scanning for the bug is already in full swing.

Overview

This post provides two important notes:

  • Impact on Bit9 + Carbon Black – A summary of how the Bash bug affects Bit9 + Carbon Black products
  • Mitigation Benefits of Bit9 + Carbon Black – A summary of how Bit9 + Carbon Black can identify and prevent attempted exploitation

Impact on Bit9 + Carbon Black

This section describes how the Bash vulnerability affects existing Bit9 + Carbon Black products, including the Bit9 Platform server, Bit9 Platform agents, the Carbon Black enterprise server and Carbon Black sensors.

We have reviewed our products for exposure to the vulnerability and found that Bit9 + Carbon Black products are not vulnerable to exploitation.

**As part of a defense-in-depth approach, we recommend applying the Bash patches in production environments.**

As with all security patches, we recommend that the Bash patch be applied to all production environments. When possible, we also recommend that the patch be applied in a lab environment to confirm compatibility in fielded deployments.

Bit9 Platform Server

The Bit9 Platform is Windows-based, and does not have any interaction with Bash. There is no vulnerability associated with this issue on the Bit9 Platform server.

Bit9 Platform Windows Agent

The Bit9 Platform Windows agent is Windows-based, and does not have any interaction with Bash. There is no vulnerability associated with this issue on Bit9 Platform Windows agent.

Bit9 Platform Mac and Linux Agents

Bit9 Platform agents for the Mac and Linux platforms have been confirmed to not introduce any exposure to this issue.

We can provide confirmation that the patch to Bash that addresses CVE-2014-6271 is fully compatible with all supported versions of Bit9 Platform agents for Mac and Linux. When a patched version of Bash that addresses CVE-2014-7169 is made available, we will perform compatibility testing and update this post to reflect the results. At this time we expect no compatibility issues with the forthcoming bash patch.

Carbon Black Server

The Carbon Black enterprise server has been confirmed to not introduce any exposure to this issue.

We also can provide confirmation that the patched version of Bash that addresses CVE-2014-6271 is fully compatible with all supported versions of Carbon Black enterprise server. When a patched version of Bash that addresses CVE-2014-7169 is made available, we will perform compatibility testing and update this post to reflect the results. At this time we expect no compatibility issues with the forthcoming Bash patch.

Carbon Black Windows Sensor

The Carbon Black Windows sensor is Windows-based, and does not have any interaction with Bash. There is no vulnerability associated with this issue on the Carbon Black Windows Sensor.

Carbon Black Mac and Linux Sensors

Carbon Black sensors for the Mac and Linux platforms have been confirmed to not introduce any exposure to this issue.

We can provide confirmation that the patch to bash that addresses CVE-2014-6271 is fully compatible with all supported versions of Carbon Black sensors for Mac and Linux. When a patched version of Bash that addresses CVE-2014-7169 is made available, we will perform compatibility testing and update this post to reflect the results. At this time we expect no compatibility issues with the forthcoming Bash patch.

Details & Mitigation of the Vulnerability

This section describes how the Bit9 Platform and Carbon Black products can be used to help detect and protect against attacks exploiting the Bash vulnerability.

Vulnerability Background

The vulnerability that lies in Bash is potentially used by a very large number of processes on the system. Therefore, it is open to various attack vectors. It is not feasible to formulate a general defense for this, other than ensuring Bash is not in use or by applying a fully working patch.

Mitigating the Current Attack

Customers running Linux Bit9 agents in high enforcement on their systems should be adequately protected from this attack, as new binaries introduced to the system will be blocked from executing. Both Carbon Black sensors (via watchlists) and Bit9 Platform agents (via custom rules) will enable customers to monitor Bash activity and set alerts on various criteria.

The attack that has been observed in the wild is described in some detail here.

This attack uses a technique that has been addressed by the first patch, so those who have already patched should be protected from this particular attack. The attack writes a file named nginx in /tmp/besh. As of this writing, the file is not currently detected by any virus scanners, although there is more information about the file in the comments section here.

Customers using the Bit9 Platform can write custom rules to explicitly prevent this file from being created, report on its creation, or ban the hash outright. Similarly, in Carbon Black, a watchlist can be created to alert when this file is created on the endpoint, or when wget writes a file to the /tmp directory. The flexibility of the rules engine in Bit9 or the search capabilities in Carbon Black allow for various ways to detect this activity

It’s important to note that these mitigations are only applicable to this specific attack, and do not address the underlying vulnerability. The best course of action is to patch now, and patch again when a new one becomes available.

This bug, similar to Heartbleed, has vast implications, as Bash is highly prevalent in embedded systems, and all kinds of implementations based on Linux. As such, it appears that security teams will be dealing with the fallout of Bash for a good, long while.

TAGS: bash / bash bug / bit9 / bug / Carbon Black / Heartbleed / info security / shell shock

Related Posts