False positive for 16800: TCP: GNU Bash Remote Code Execution Vulnerability

Similar Messages

• False positive for GNU Bash Remote Code Execution Vulnerabil​ity

  Dear Team, 
  in my customer, one of banking in brunei want to access several finance website such as www.iifm.net etc. Tipping point IPS blokec to access the website with report as a 16800: TCP: GNU Bash Remote Code Execution Vulnerability ( Low Severity). The site is normal and legal website. Our question is the several website is needed to access by our employee due to the dailiy working. Please advice 
  Best Regards
  Yudi

  Hello Yuibagan,
  This is the Consumer products forum.
  You need to be in the HP Enterprise Business Community for IT related issues for servers, etc.
  I think you will want to post this question in the Security section. Dont post the same question more than once as you did here.
  HP Networking
  You will also want to take a look at the Articles and updates explaining GNU Bash here:
  GNU Bash vulnerability "Shellshock" (CVE-2014-6271... - HP Enterprise Business Community
  HP Security Research: GNU Bash vulnerability "Shel... - HP Enterprise Business Community
  HP AppDefender and HP WebInspect updates: GNU Bash... - HP Enterprise Business Community
  HPSR Software Security Content 2014 Update 3 - HP Enterprise Business Community
  Good luck

• Threat Feed say my ipad2 got threats, memory corruption vulnerability exist, which could lead to remote code execution. How to solve this problem?

  Threat Feed (McAfee) say my ipad2 got threats, memory corruption vulnerability exist,
  which could lead to remote code execution. How to solve this problem?

  You can't solve this problem yourself. You would need to wait for apple to release a "fix" or for McAfee to revise their judgement.
  If you're worried about the threats, don't do things that would expose yourself to the vulnerability that they describe.
  Since I can't see what you're looking at, I can't give you any other advice.

• PHP-Remote Code Execution

  Hi Experts,
  My IPS has been reporting "PHP-Remote Code Execution" attack on one of our webserver for a while now. Each time the attackers IP address keeps changing. I created an object-group and access-list to deny the object-group on my firewall and i keep adding the attacker's IPs to the group, however i keep recieving new "PHP-Remote Code Execution" attacks. My IPS is in promiscous mode and i have auto signature update enabled.
  IPS has reported "packet denied by global correlation in some case. Like i said, IPS is in promiscous mode. Signature: 2271/0 and CVE-2012-1823
  Apart from making sure the webservers have the right security patches, What else should i be doing?. Do not want to miss anything out?

  cactus wrote:mhakali. I applaud your attention to security.
  However, it is generally not well received to post the same thing in multiple categories..
  Yes. Please do not cross-post: http://bbs.archlinux.org/viewtopic.php?p=205922
  Use the above  thread for discussion.
  Locking.

• Adobe Acrobat Reader Crafted PDF Document Remote Code Execution

  Hi all,
  I was wondering if Adobe can clarify when "CVE-2012-4363 Adobe Acrobat Reader Crafted PDF Document Remote Code Execution" will be fixed?
  It's been a pretty long time since this issue was reported.
  With kind regards,
  Erik Verhoef
  The Netherlands

  i was also given the Knowledge Base number 405461 from adobe, and they said that this would definitely fix the problem...AND IT DIDN'T :-(
  see kb405461
  http://kb.adobe.com/selfservice/view...nalId=kb405461
  and just to let everyone know, i have already completely uninstalled adobe reader and reinstalled it several times thinking that fresh install would cure the problem, and it hasn't made a bit of difference. the version of reader doesn't matter either, as i've tried versions 7, 8 and 9... all with the same exact issue...which makes me think that it might be an issue with MS IE6.

• Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)

  Can some one help me to download below Security patches which i am not able to download from MS Web site?
  Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
  Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)

  Microsoft Releases KB3024777 Update to Fix Botched KB3004394 Patch
  http://news.softpedia.com/news/Microsoft-Releases-KB3024777-Update-to-Fix-Botched-KB3004394-Patch-46...
  Windows 7 Pro SP1 (64-bit), avast! V7 Free, MBAM Pro, Windows Firewall, EMET, OpenDNS Family Shield, IE9 & Firefox (both using WOT & KeyScrambler), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS, SAS (on-demand scanner), Secunia PSI.
  [I am experimenting with Sandboxie, and believe computer-users who sandbox are acting prudently.]

• False Positive on Sig 4689/1 Bash Environment Variable Command Injection

  I am seeing what I believe is false positives on Sig 4689/1 outbound from our network. When I look at the traffic capture from events it does not seem to match inbound traffic events that fire on the same signature. The inbound traffic looks very much like what I think is the exploit code for the Bash injection vulnerability. 
  Any one else seeing this on their systems?
  Mike

  I'm seeing things like this. Whenever I look up the victim IPs they resolve to Amazon servers. It looks like a false positive to me also.
  event_id = 1360033965674082135
  severity = high
  device_name = xxxxxxx
  app_name = sensorApp
  receive_time = 09/28/2014  06:32:59
  event_time = 09/28/2014 10:33:29
  sensor_local_time = 09/28/2014 06:33:29
  sig_id = 4689
  subsig_id = 1
  sig_name = Bash Environment Variable Command Injection sig_details = CVE-2014-6271 sig_version = S824 attacker_ip = xxx.xxx.xxx.xxx attacker_port = 50986 attacker_locality = OUT victim_ip = 54.204.5.190 victim_port = 80 victim_os = unknown unknown (relevant) victim_locality = OUT summary_count = 0 initial_alert_id = summary_type = is_final_alert = interface = GigabitEthernet0/1 vlan = 0 virtual_sensor = vs0 context = bGVicml0eWJhYmllcy5wZW9wbGUuY29tJTdDYWlkJTNEMjA4OTQ1JTdDY2glM0RiYWJpZXMlN0NzY2glM0RuZXdzJTdDcHR5cGUlM0Rjb250ZW50JTdDY3R5cGUlM0RibG9nJTdDcGFnZSUzRDElN0NzdWJqJTNEYmFiaWVzJTJDa2FueWUtd2VzdCUyQ2tpbS1rYXJkYXNoaWFuJTJDbmV3cyU3Q2NlbGViJTNEJTdDdW5pcXVlJTNEZnVuY3Rpb24rKCkrJTdCJTBBKysrKysrKysrKysrdmFyK2ErJTNEKyU1QiU1RCUyQ2srJTNEKzAlMkNlJTNCJTBBKysrKw==$
  actions = droppedPacket+deniedFlow+tcpOneWayResetSent
  alert_details = InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; risk_rating_num = 100(TVR=medium ARR=relevant) threat_rating = 65 reputation = protocol = tcp

• False Positives for id=12713 version=S149

  Just started receiving numerous firings of 12713. Looks like false positives. Is anyone else observing this?
  Cisco MARS is creating the following : System Rule: DoS: Network - Success Likely
  thanks
  John Stark

  This is indeed a false positive. You can either filter out trusted hosts or create a metasignature using this signature as a component to reduce the chance of false positives.
  Tune signature 3327-6 and remove the produce alert action.
  Create a custom signature as follows:
  Engine Meta
  Component list:
  3327-6
  3328-0
  Meta-reset-interval = 2
  Severity high
  Summarize
  Met-key = Axxx – 1 unique victim
  Component-list-in order = false
  Event action: produce alert
  This signature will only fire when signatures 3327-6 and 3328-0 fire. Since 3327-6 would have no event action of its own you would not see alerts from it.
  Note that this signature does not have as high fidelity as the original 3327-6, that being said signature 3327-0 detects almost all public exploits for this vulnerability. We will note this in the NSDB.

• False positive for Windows RPC DCOM Overflow id=3327 version=S188

  Hi,
  Could you take a look at the below capture to see if there is false positive at work.
  Thanks,
  Matt
  signature: description=Windows RPC DCOM Overflow id=3327 version=S188
  subsigId: 6
  sigDetails: \\\x3c400 chars>\
  interfaceGroup:
  vlan: 0
  participants:
  attacker:
  addr: locality=INTERNAL <address removed>
  port: 1914
  target:
  addr: locality=INTERNAL <address removed>
  port: 445
  context:
  fromTarget:
  000000 63 00 5F 00 66 00 73 00 2E 00 6E 00 6F 00 72 00 c._.f.s...n.o.r.
  000010 74 00 68 00 62 00 61 00 79 00 62 00 61 00 6E 00 t.h.b.a.y.b.a.n.
  000020 63 00 6F 00 72 00 70 00 2E 00 63 00 6F 00 6D 00 c.o.r.p...c.o.m.
  000030 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 ....W.i.n.d.o.w.
  000040 73 00 20 00 35 00 2E 00 30 00 00 00 57 00 69 00 s. .5...0...W.i.
  000050 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 n.d.o.w.s. .2.0.
  000060 30 00 30 00 20 00 4C 00 41 00 4E 00 20 00 4D 00 0.0. .L.A.N. .M.
  000070 61 00 6E 00 61 00 67 00 65 00 72 00 00 00 00 00 a.n.a.g.e.r.....
  000080 00 7E FF 53 4D 42 73 00 00 00 00 98 07 C8 00 00 .~.SMBs.........
  000090 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 48 ...............H
  0000A0 C0 3E 04 FF 00 7E 00 00 00 09 00 53 00 A1 07 30 .>...~.....S...0
  0000B0 05 A0 03 0A 01 00 57 00 69 00 6E 00 64 00 6F 00 ......W.i.n.d.o.
  0000C0 77 00 73 00 20 00 35 00 2E 00 30 00 00 00 57 00 w.s. .5...0...W.
  0000D0 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 i.n.d.o.w.s. .2.
  0000E0 30 00 30 00 30 00 20 00 4C 00 41 00 4E 00 20 00 0.0.0. .L.A.N. .
  0000F0 4D 00 61 00 6E 00 61 00 67 00 65 00 72 00 00 00 M.a.n.a.g.e.r...
  fromAttacker:
  000000 00 04 41 32 00 01 00 00 00 00 00 71 00 00 00 00 ..A2.......q....
  000010 00 D4 00 00 80 B9 00 A1 6F 30 6D A2 6B 04 69 4E ........o0m.k.iN
  000020 54 4C 4D 53 53 50 00 03 00 00 00 01 00 01 00 58 TLMSSP.........X
  000030 00 00 00 00 00 00 00 59 00 00 00 00 00 00 00 48 .......Y.......H
  000040 00 00 00 00 00 00 00 48 00 00 00 10 00 10 00 48 .......H.......H
  000050 00 00 00 10 00 10 00 59 00 00 00 15 8A 88 E2 05 .......Y........
  000060 00 93 08 00 00 00 0F 47 00 57 00 2D 00 30 00 30 .......G.W.-.0.0
  000070 00 32 00 38 00 37 00 00 46 5A 5E 7D 09 B9 25 FB .2.8.7..FZ^}..%.
  000080 EF 1F 07 DE BD 60 85 13 57 00 69 00 6E 00 64 00 .....`..W.i.n.d.
  000090 6F 00 77 00 73 00 20 00 32 00 30 00 30 00 30 00 o.w.s. .2.0.0.0.
  0000A0 20 00 32 00 31 00 39 00 35 00 00 00 57 00 69 00 .2.1.9.5...W.i.
  0000B0 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 n.d.o.w.s. .2.0.
  0000C0 30 00 30 00 20 00 35 00 2E 00 30 00 00 00 00 00 0.0. .5...0.....
  0000D0 00 00 00 58 FF 53 4D 42 75 00 00 00 00 18 07 C8 ...X.SMBu.......
  0000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................
  0000F0 00 48 00 3F 04 FF 00 58 00 08 00 01 00 2D 00 00 .H.?...X.....-..

  This is indeed a false positive. You can either filter out trusted hosts or create a metasignature using this signature as a component to reduce the chance of false positives.
  Tune signature 3327-6 and remove the produce alert action.
  Create a custom signature as follows:
  Engine Meta
  Component list:
  3327-6
  3328-0
  Meta-reset-interval = 2
  Severity high
  Summarize
  Met-key = Axxx – 1 unique victim
  Component-list-in order = false
  Event action: produce alert
  This signature will only fire when signatures 3327-6 and 3328-0 fire. Since 3327-6 would have no event action of its own you would not see alerts from it.
  Note that this signature does not have as high fidelity as the original 3327-6, that being said signature 3327-0 detects almost all public exploits for this vulnerability. We will note this in the NSDB.

• The Accessibility Object for AS2 is returning a false positive for AS2 with IE10 on Windows 8 Pro.

  There is an issue with the our legacy content player, which is written in Flash Actionscript 1 & 2.  This
  player behaves fine in most browsers on most platforms, but in IE10 on Windows 8 it doesn't work
  properly.
  Internet Explorer 110
  Version:  10.0.9200.16688
  Update Version:  10.0.9 (KB2870699)
  Windows 8 Pro
  This seems to because of the Flash engine's Accessibility object using the Microsoft Active
  Accessibility (MSAA) API to detect the presence of Screen Readers.  This detection is creating a false
  positive on Windows 8 machines and that may be due to the touch screen support on that platform.  This
  doesn't appear to be occuring with Chrome or Firefox on the same platform; however.  So I suspect that
  IE or IE's Flash compenent is doing something different than these other browsers.

  This is legacy code and is too close to its end-of-life to justify porting to AS3.  As far as a work-around I am already looking into it. I was hoping that someone had already encountered this issue and created a work-around.  This would have saved time.
  Any other takers?

• [security] php 5.2.0 update (remote code execution)

  Hi!
  I just throw together an updated PHP package for those of you who want to patch your web servers against the advisory released yesterday.
  The package is available here:
  http://adiza.nexticom.net/files/package … pkg.tar.gz
  The advisory is available here:
  http://www.frsirt.com/english/advisories/2006/4317
  Note that it is without IMAP and ODBC support since i did not have these packages installed.
  Greets.

  cactus wrote:mhakali. I applaud your attention to security.
  However, it is generally not well received to post the same thing in multiple categories..
  Yes. Please do not cross-post: http://bbs.archlinux.org/viewtopic.php?p=205922
  Use the above  thread for discussion.
  Locking.

• CSCus68798 - ISE is vulnerable to CVE-2015-0235 Linux Ghost remote code execution

  First time trying to follow a specific CVE in Real-Time...
  I see this CVE-2015-0235 GHOST hack is applicable to ISE and Prime Infrastructure... but I haven't seen any patch status update since yesterday.
  CSA says "Obtaining Fixed Software
  Cisco has released free software updates that address the vulnerability described in this advisory."
  Yet, when I check the (2) products' download pages, the newest software I see is from Jan 23 and Jan 6, respectively. The exploit was published on Jan 27. So, where are the patches?

  The team that found the exploit, Qualys Security Advisory, documented that "the most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example."  See the link below for the full report:
  https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
  I'm assuming this is affecting all versions of UC appliances running these OS's (and possibly more that aren't used in the example?).  Anyone know how to determine what products are vulnerable to this?

• MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014

  I have a server 2008 R2, with NO Service Pack 1 installed.
  Will this https://support.microsoft.com/kb/2992611 patch still be applicable for me to install? It says not.
  But is the system vulnarable? And Do I have to install Service Pack 1 to NOT be vulnarable anymore?

  I have a server 2008 R2, with NO Service Pack 1 installed.
  Well, that's your VERY FIRST problem. You MUST have Service Pack 1 installed to receive ANY update published since early 2013.
  Will this https://support.microsoft.com/kb/2992611 patch still be applicable for me to install?
  No.
  But is the system vulnarable?
  Absolutely!!! Not to mention vulnerable to several dozen other security vulnerabilities patched in the past year and a half.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• TCP Hijack/TCP Segment Overwrite false positives?

  Hello all,
  I was just curious if anyone else has had many false positives with 3 signatures in particular: TCP Hijack (3250.0 - High), TCP Hijack Simplex Mode (3251.0 - High), and TCP Segment Overwrite (1300.0 - High). The reason I think they are false positives is because they occur everyday, and I've also seem them caused by internal network traffic that crosses an IPS sensor (that is, making the potentially dangerous assumption that the internal devices can be trusted). We usually see between a dozen and 3 dozen a day depending on the signature, and we have 8 IPS total deployed internally and on the perimeters.
  Has anyone else had similar experiences? If so, do you have any suggestions on how to decrease the number of false positives for these alerts?
  Thanks,
  Ryan

  I get TCP Hijack and TCP Segment Overwrite all the time. I opened a TAC case about it because it was getting out of hand, and the engineer said that TCP Hijack would be very very hard to execute and if it is getting fired a lot odds are it is a false positive.
  This was his response:
  5769 - Malformed HTTP Request
  This signature basically just looks for traffic destined to one of your web ports (defined by the WEBPORTS variable) and containing a valid HTTP request (i.e., GET, POST, HEAD, PUT, DELETE, TRACE, CONNECT) but followed by malformed (i.e., not proper http protocol syntax) URI information. This type of malformed HTTP request can be used for a variety of exploits. Microsoft has malformed HTTP request vulnerabilities, another attack known as "http request smuggling" can be launched using malformed HTTP requests at a Squid web proxy, which may cause the web proxy and an upstream HTTP agent to disagree on the boundary between HTTP requests on a persistent connection. These are a couple of examples.
  If you open this signature in IDM and go to "Edit", you can see the regex it looks for within the http payload. Basically, it looks for a valid HTTP request followed by the hex code regex [\x20][\x21-\x7e]+[\x20]?[\x0d\x0a]. A properly formed HTTP request should not contain this hex code.
  It's possible that normal traffic could cause this, but unlikely. If you have further concerns about this signature firing, please capture the trigger packet context either by changing the signature action to 'produce verbose alert' or 'log attacker packet' for analysis. If you need assistance in analyzing these alerts, please contact TAC and open a case on this issue.
  3250 or 3251 - TCP Hijack and TCP Hijack Simplex Mode
  This signature detects attempts to insert packets into a TCP stream by an attacker in an effort to take over this session. However, if you're using inline ips mode, TCP Hijack attacks are impossible. Also, this type of attack is very rare and not easy to do, and is often a false positive. Types of things that can be used by network sniffers to detect that a TCP hijack may be happening is looking for repeated ARP updates, frames sent between client and server with different MAC addresses, or tcp ack storms.
  For these two hijack signatures, per MySDN information:
  "This signature fires upon detecting out of order ack packets. The most common network event that may trigger this signature is an idle telnet session. The TCP Hijack attack is a low-probability, high level-of-effort event."
  Thus, very likely to be false positives and unlikely to be a legitimate attack given the difficulties involved in doing this. However, it's worth checking out the source / destination of the attacks. Again though, if you are running inline mode, these attacks are impossible and you can ignore these signatures.
  About the TCP Segment Overwrite, mine is always fired for port 20 traffic from some sort of web cache server. Is that the same for you?

• What is happening about: The GNU Bourne Again Shell (Bash) is a command line utility widely used in many Unix-based operating systems including Linux and OS X.  Researchers have discovered a critical flaw in Bash which could allow remote code executi

  Authoritative advice today:
  The GNU Bourne Again Shell (Bash) is a command line utility widely used in many Unix-based operating systems including Linux and OS X.
  Researchers have discovered a critical flaw in Bash which could allow remote code execution by an unauthenticated user
  APPLE response?

  Also see:
  http://www.macrumors.com/2014/09/26/apple-os-x-users-safe-bash-flaw-update-soon/
  If you are not running a web server
  If you have not enabled CUPS web interface
  If you do not allow anonymous users to ssh into your Mac.
  If all are no, they you are not at risk.
  This IS a very serious bug for web servers, but the typical consumer Mac user is not at risk.