While the world is shell shocked, our customer are preparing for the weekend
September 26, 2014
The world is shell-shocked!
And while the system owners are busy understanding the vulnerability and are still finding out ways to detect it, attackers are not showing any mercy. We were expecting that the biggest attack surface we see for this vulnerability will be web, and now on the 2nd day of the release, we are already seeing a pattern.
‘Command injection’ is the attack category that makes a “made in heaven” match with this vulnerability. So if you have an application (especially the ones that use CGI scripts) where a bash command can be injected by exploiting this vulnerability, your imagination about a potential impact will not be enough.
IndusGuard WAF with its out of the box rules protects web applications against command injection attacks. With this new vulnerability, our team of researchers has quickly added some more patterns and signatures to protect our customers against this vulnerability (Refer: How Not to Get BASH-ed)
Yesterday, what we saw was somewhat expected, but variety & patterns are simply astounding. With one of our customers where we were doing a pilot WAF deployment, we saw command injection attempts from multiple sources and with different patterns.
We saw the attacker trying to inject through the cookie, headers, and even body. They might be script kiddies but they were trying all sorts of combinations to crack into the system. In this example, they were trying to run the ping utility remotely to send ICMP requests on their own server. By monitoring the ping response at their end, attackers can easily confirm if the command was executed or not and find out if the application is vulnerable. We have seen such a reconnaissance kind of activity for a multiple of our customers and are actively blocking them.
Adding more flavors to the matter, Malware research teams have identified payloads that are exploiting Bash vulnerability to create botnets for conducting DDoS. You can expect more such innovative but dangerous exploit scenarios that will shell shock the world.
Indusface WAF provides full proof of protection against this vulnerability for your web applications. Our experience (STATE OF APPLICATION SECURITY IN INDIA) suggests that a Critical vulnerability like ‘Command Injection’ may take up to 100 days to get fixed on your application, but at Indusface we are trying to ensure our customers enjoy their weekends and the upcoming festival season.
