ShellShock - Fortinet's Response
Fortinet's Response to Shellshock vulnerability.
What is Shellshock?
Shellshock is a vulnerability discovered in the ubiquitous GNU Bourne Again Shell (Bash) program which can allow an attacker to remotely execute arbitrary code on a target system. Bash is commonly used in many Linux, Unix and Mac OS X operating systems. It also likely impacts Apple's iOS mobile operating system and Google's AndroidOS.
Who is affected?
While Bash is a local shell, it is used in many programs on the Internet to set environment variables which are then used in the execution of other programs.
How does it work?
Programs often use environment variables in their operations. If specially crafted extra code is added inside an environment variable, the operating system will execute that code. For example:
Should I be worried?
If you are the owner or maintainer of a server or other Internet infrastructure, you should patch your machines as quickly as possible. The nature of this exploit is such that it would be trivial for an attacker to compromise your machine(s) or create a self-propagating worm, reminiscent of the SQL Slammer worm in 2003, leading to potential Distributed Denial of Service attacks.
What can I do? How can I check my exposure?
On the server side of the equation, there are multiple things you should do as a best course of action to provide the highest level of security to your employees, users and customers:
It is important to note that FortiOS is not affected by Shellshock. FortiOS does not use the Bash shell.
Ensure you have appropriate IPS signatures deployed to monitor and mitigate any potential attacks on your infrastructure. Fortinet is issuing a Hot Update to our customers with IPS signatures to detect and prevent Shellshock attacks. This signature will be available in the next few hours. In situations such as this, our threat research teams are able to respond to urgent or immediate security incidents promptly to protect our customers (and our customers' customers) from exploitation.
Ensure you have deployed the latest AV DB packages to your systems and endpoints. Fortinet issued a Hot Update to our customers to detect and prevent Shellshock attacks.
Deploy the patches to affected systems as soon as possible.
What about Fortinet? How did Fortinet respond?
Fortinet released Bash.Function.Definitions.Remote.Code.Execution via Hot Update 5.552 on the afternoon of September 25th.
FortiGuard's PSIRT (Product Security and Incident Response Team) became aware of the issue on Wednesday, September 24th when the bug was publicly disclosed. Our team developed an in-house POC immediately to verify the vulnerability and started to determine the extent of our exposure in our products.
PSIRT issued a security advisory - FG-IR-14-030 on Thursday with initial information and our industry-leading security research team concurrently created initial IPS signatures to assist customers in determining if attackers attempting to exploit Shellshock were targeting their systems.
Patch development began in the morning of Thursday September 25th, and our QA teams have started testing the updates.
Many of our products, including FortiOS, were not affected by Shellshock and a patch is not required. The product security advisory lists our affected products.
http://www.fortiguard.com/advisory/FG-IR-14-030/
Text taken from Fortinet Blog as is. Tech-2 does not own this text and has not verified the content.
What is Shellshock?
Shellshock is a vulnerability discovered in the ubiquitous GNU Bourne Again Shell (Bash) program which can allow an attacker to remotely execute arbitrary code on a target system. Bash is commonly used in many Linux, Unix and Mac OS X operating systems. It also likely impacts Apple's iOS mobile operating system and Google's AndroidOS.
Who is affected?
While Bash is a local shell, it is used in many programs on the Internet to set environment variables which are then used in the execution of other programs.
How does it work?
Programs often use environment variables in their operations. If specially crafted extra code is added inside an environment variable, the operating system will execute that code. For example:
Should I be worried?
If you are the owner or maintainer of a server or other Internet infrastructure, you should patch your machines as quickly as possible. The nature of this exploit is such that it would be trivial for an attacker to compromise your machine(s) or create a self-propagating worm, reminiscent of the SQL Slammer worm in 2003, leading to potential Distributed Denial of Service attacks.
What can I do? How can I check my exposure?
On the server side of the equation, there are multiple things you should do as a best course of action to provide the highest level of security to your employees, users and customers:
It is important to note that FortiOS is not affected by Shellshock. FortiOS does not use the Bash shell.
Ensure you have appropriate IPS signatures deployed to monitor and mitigate any potential attacks on your infrastructure. Fortinet is issuing a Hot Update to our customers with IPS signatures to detect and prevent Shellshock attacks. This signature will be available in the next few hours. In situations such as this, our threat research teams are able to respond to urgent or immediate security incidents promptly to protect our customers (and our customers' customers) from exploitation.
Ensure you have deployed the latest AV DB packages to your systems and endpoints. Fortinet issued a Hot Update to our customers to detect and prevent Shellshock attacks.
Deploy the patches to affected systems as soon as possible.
What about Fortinet? How did Fortinet respond?
Fortinet released Bash.Function.Definitions.Remote.Code.Execution via Hot Update 5.552 on the afternoon of September 25th.
FortiGuard's PSIRT (Product Security and Incident Response Team) became aware of the issue on Wednesday, September 24th when the bug was publicly disclosed. Our team developed an in-house POC immediately to verify the vulnerability and started to determine the extent of our exposure in our products.
PSIRT issued a security advisory - FG-IR-14-030 on Thursday with initial information and our industry-leading security research team concurrently created initial IPS signatures to assist customers in determining if attackers attempting to exploit Shellshock were targeting their systems.
Patch development began in the morning of Thursday September 25th, and our QA teams have started testing the updates.
Many of our products, including FortiOS, were not affected by Shellshock and a patch is not required. The product security advisory lists our affected products.
http://www.fortiguard.com/advisory/FG-IR-14-030/
Text taken from Fortinet Blog as is. Tech-2 does not own this text and has not verified the content.
Comments
Post a Comment