Shellshock

majdi · September 25, 2014, 10:42pm

When will you add rules to protect against Shellshock ?

akabakov · September 26, 2014, 8:25am

Web Application Firewall is not a tool to avoid Shellshock issue. It’s better to update your bash system package to secure version.

Shellshock fix for various distribution:
Red Hat - Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) in Red Hat Enterprise Linux - Red Hat Customer Portal
Fedora: Flaw CVE-2014-6271 discovered in the Bash shell - update your Fedora systems - Fedora Magazine
CentOS-5: [CentOS-announce] CESA-2014:1293 Critical CentOS 5 bash Security Update
CentOS-6: [CentOS-announce] CESA-2014:1293 Critical CentOS 6 bash Security Update
CentOS-7: [CentOS-announce] CESA-2014:1293 Critical CentOS 7 bash Security Update
Ubuntu: USN-2362-1: Bash vulnerability | Ubuntu security notices | Ubuntu
Debian: [SECURITY] [DSA 3032-1] bash security update

MH-Stefan · September 26, 2014, 8:52pm

There are already some mod_security rules posted by Red Hat: Mitigating the shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) - Red Hat Customer Portal

The top priority should be to apply both Bash patches. Then you can also implement the mod_security rules under Comodo WAF » User Data » Custom rules as an extra precaution.

Actually I think these rules should be implemented into the Comodo rule-set, as I’m sure that some servers will remain unpatched. There are enough people who neglect this stuff.

oleg.tsygany · September 30, 2014, 8:08am

Hi Stefan

Thank you for your finding! I’ve contacted our rule writers team about this.

majdi · September 30, 2014, 8:12am

bash is still not fully patched, i believe adding mod_sec rules can help webservers block an angle of attack, which is always helpful.

MH-Stefan · October 1, 2014, 12:35pm

Another thing worth mentioning is that LiteSpeed Web Server already has an update since 9-25-2014 that covers Shellshock. Details: LiteSpeed Web Server Now Protected Against Shellshock ⋆ LiteSpeed Blog

Not quite sure if it also protects against the last 4 vulnerabilities…

No problem, Oleg. Glad that I could help.

It would be ideal to push an update of the Shellshock rules before it gets more actively exploited. It still isn’t fully patched as of today.