topic False Positive on Sig 4689/1 Bash Environment Variable Command Injection in Network Security

False Positive on Sig 4689/1 Bash Environment Variable Command Injection

mhanson2004 — Sun, 10 Mar 2019 13:14:47 GMT

I am seeing what I believe is false positives on Sig 4689/1 outbound from our network. When I look at the traffic capture from events it does not seem to match inbound traffic events that fire on the same signature. The inbound traffic looks very much like what I think is the exploit code for the Bash injection vulnerability.

Any one else seeing this on their systems?

Mike

I'm seeing things like this.

John Buchinsky — Mon, 29 Sep 2014 19:11:29 GMT

I'm seeing things like this. Whenever I look up the victim IPs they resolve to Amazon servers. It looks like a false positive to me also.

event_id = 1360033965674082135

severity = high

device_name = xxxxxxx

app_name = sensorApp

receive_time = 09/28/2014 06:32:59

event_time = 09/28/2014 10:33:29

sensor_local_time = 09/28/2014 06:33:29

sig_id = 4689

subsig_id = 1

sig_name = Bash Environment Variable Command Injection sig_details = CVE-2014-6271 sig_version = S824 attacker_ip = xxx.xxx.xxx.xxx attacker_port = 50986 attacker_locality = OUT victim_ip = 54.204.5.190 victim_port = 80 victim_os = unknown unknown (relevant) victim_locality = OUT summary_count = 0 initial_alert_id = summary_type = is_final_alert = interface = GigabitEthernet0/1 vlan = 0 virtual_sensor = vs0 context = bGVicml0eWJhYmllcy5wZW9wbGUuY29tJTdDYWlkJTNEMjA4OTQ1JTdDY2glM0RiYWJpZXMlN0NzY2glM0RuZXdzJTdDcHR5cGUlM0Rjb250ZW50JTdDY3R5cGUlM0RibG9nJTdDcGFnZSUzRDElN0NzdWJqJTNEYmFiaWVzJTJDa2FueWUtd2VzdCUyQ2tpbS1rYXJkYXNoaWFuJTJDbmV3cyU3Q2NlbGViJTNEJTdDdW5pcXVlJTNEZnVuY3Rpb24rKCkrJTdCJTBBKysrKysrKysrKysrdmFyK2ErJTNEKyU1QiU1RCUyQ2srJTNEKzAlMkNlJTNCJTBBKysrKw==$

actions = droppedPacket+deniedFlow+tcpOneWayResetSent

alert_details = InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; risk_rating_num = 100(TVR=medium ARR=relevant) threat_rating = 65 reputation = protocol = tcp

I am starting to think that

mhanson2004 — Mon, 29 Sep 2014 19:39:04 GMT

I am starting to think that these are not false positives but some sort of call back to the control servers.

Can anyone from Cisco chime in on this and provide more information please?

Thank you.

Mike

How many are you getting? I

John Buchinsky — Mon, 29 Sep 2014 19:50:50 GMT

How many are you getting? I've only gotten a handful. We've got maybe 1000 machines and I might have gotten 7-8 notices since Friday. I got a handful on Friday afternoon, 1-2 on Sunday, and none today. The most I've ever gotten per IP is 2 notices.

We checked one of the machines out on Friday after we got 2 notices on it but didn't see any kind of malware/rootkits and we haven't gotten anything since from that IP.

I was thinking maybe it's something like the SQL Query in HTTP Request false positives that come from some Yahoo/Facebook traffic.

We have gotten hundreds of

mhanson2004 — Mon, 29 Sep 2014 20:18:12 GMT

We have gotten hundreds of the alerts. We are at a university, and I just figured out that some Mac machines are vulnerable to the bash exploit.

I am wondering if these are the machines that are tripping the signature when they calling back to a C and C server?

I have also experiencing this

Jhun Banzuela — Tue, 30 Sep 2014 01:28:49 GMT

I have also experiencing this kind of problem.

We already patched the internal attacker IP and the events are still appearing.

Victim IPs are mostly to Amazon.

in the example from

shepp — Tue, 30 Sep 2014 04:55:47 GMT

in the example from jbuchinsky below, we see javascript embedded in a POST body argument

%3Dfunction+()+%7B%0A

a new version of sig 4689-1 will be released in S825 which tighten the sig to only catch ()+%7B immediately after an = instead of anywhere in the POST body, thus ignoring these cases of javascript sent in http requests

Also it will reduce the SFR to 85 so these packets will not be denied by default

Could you rephrase this

wgorman — Wed, 01 Oct 2014 16:15:06 GMT

Could you rephrase this explanation for a non-IT executive?

thx.