False positive for GNU Bash Remote Code Execution Vulnerabil​ity

Dear Team, 
in my customer, one of banking in brunei want to access several finance website such as www.iifm.net etc. Tipping point IPS blokec to access the website with report as a 16800: TCP: GNU Bash Remote Code Execution Vulnerability ( Low Severity). The site is normal and legal website. Our question is the several website is needed to access by our employee due to the dailiy working. Please advice 
Best Regards
Yudi

Hello Yuibagan,
This is the Consumer products forum.
You need to be in the HP Enterprise Business Community for IT related issues for servers, etc.
I think you will want to post this question in the Security section. Dont post the same question more than once as you did here.
HP Networking
You will also want to take a look at the Articles and updates explaining GNU Bash here:
GNU Bash vulnerability "Shellshock" (CVE-2014-6271... - HP Enterprise Business Community
HP Security Research: GNU Bash vulnerability "Shel... - HP Enterprise Business Community
HP AppDefender and HP WebInspect updates: GNU Bash... - HP Enterprise Business Community
HPSR Software Security Content 2014 Update 3 - HP Enterprise Business Community
Good luck

Similar Messages

  • False positive for 16800: TCP: GNU Bash Remote Code Execution Vulnerability

    Dear Team, 
    in my customer, one of banking in brunei want to access several finance website such as www.iifm.net etc. Tipping point IPS blokec to access the website with report as a 16800: TCP: GNU Bash Remote Code Execution Vulnerability ( Low Severity). The site is normal and legal website. Our question is the several website is needed to access by our employee due to the dailiy working. Please advice 
    Best Regards
    Yudi

    @yuibagan 
    ‎Thank you for using HP Support Forum. I have brought your issue to the appropriate team within HP. They will likely request information from you in order to look up your case details or product serial number. Please look for a private message from an identified HP contact. Additionally, keep in mind not to publicly post ( serial numbers and case details).
    If you are unfamiliar with the Forum's private messaging please click here to learn more.
    Thank you,
    Omar
    I Work for HP

  • Threat Feed say my ipad2 got threats, memory corruption vulnerability exist, which could lead to remote code execution. How to solve this problem?

    Threat Feed (McAfee) say my ipad2 got threats, memory corruption vulnerability exist,
    which could lead to remote code execution. How to solve this problem?

    You can't solve this problem yourself. You would need to wait for apple to release a "fix" or for McAfee to revise their judgement.
    If you're worried about the threats, don't do things that would expose yourself to the vulnerability that they describe.
    Since I can't see what you're looking at, I can't give you any other advice.

  • PHP-Remote Code Execution

    Hi Experts,
    My IPS has been reporting "PHP-Remote Code Execution" attack on one of our webserver for a while now. Each time the attackers IP address keeps changing. I created an object-group and access-list to deny the object-group on my firewall and i keep adding the attacker's IPs to the group, however i keep recieving new "PHP-Remote Code Execution" attacks. My IPS is in promiscous mode and i have auto signature update enabled.
    IPS has reported "packet denied by global correlation in some case. Like i said, IPS is in promiscous mode. Signature: 2271/0 and CVE-2012-1823
    Apart from making sure the webservers have the right security patches, What else should i be doing?. Do not want to miss anything out?

    cactus wrote:mhakali. I applaud your attention to security.
    However, it is generally not well received to post the same thing in multiple categories..
    Yes. Please do not cross-post: http://bbs.archlinux.org/viewtopic.php?p=205922
    Use the above  thread for discussion.
    Locking.

  • Adobe Acrobat Reader Crafted PDF Document Remote Code Execution

    Hi all,
    I was wondering if Adobe can clarify when "CVE-2012-4363 Adobe Acrobat Reader Crafted PDF Document Remote Code Execution" will be fixed?
    It's been a pretty long time since this issue was reported.
    With kind regards,
    Erik Verhoef
    The Netherlands

    i was also given the Knowledge Base number 405461 from adobe, and they said that this would definitely fix the problem...AND IT DIDN'T :-(
    see kb405461
    http://kb.adobe.com/selfservice/view...nalId=kb405461
    and just to let everyone know, i have already completely uninstalled adobe reader and reinstalled it several times thinking that fresh install would cure the problem, and it hasn't made a bit of difference. the version of reader doesn't matter either, as i've tried versions 7, 8 and 9... all with the same exact issue...which makes me think that it might be an issue with MS IE6.

  • Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)

    Can some one help me to download below Security patches which i am not able to download from MS Web site?
    Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
    Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)

    Microsoft Releases KB3024777 Update to Fix Botched KB3004394 Patch
    http://news.softpedia.com/news/Microsoft-Releases-KB3024777-Update-to-Fix-Botched-KB3004394-Patch-46...
    Windows 7 Pro SP1 (64-bit), avast! V7 Free, MBAM Pro, Windows Firewall, EMET, OpenDNS Family Shield, IE9 & Firefox (both using WOT & KeyScrambler), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS, SAS (on-demand scanner), Secunia PSI.
    [I am experimenting with Sandboxie, and believe computer-users who sandbox are acting prudently.]

  • False Positives for id=12713 version=S149

    Just started receiving numerous firings of 12713. Looks like false positives. Is anyone else observing this?
    Cisco MARS is creating the following : System Rule: DoS: Network - Success Likely
    thanks
    John Stark

    This is indeed a false positive. You can either filter out trusted hosts or create a metasignature using this signature as a component to reduce the chance of false positives.
    Tune signature 3327-6 and remove the produce alert action.
    Create a custom signature as follows:
    Engine Meta
    Component list:
    3327-6
    3328-0
    Meta-reset-interval = 2
    Severity high
    Summarize
    Met-key = Axxx – 1 unique victim
    Component-list-in order = false
    Event action: produce alert
    This signature will only fire when signatures 3327-6 and 3328-0 fire. Since 3327-6 would have no event action of its own you would not see alerts from it.
    Note that this signature does not have as high fidelity as the original 3327-6, that being said signature 3327-0 detects almost all public exploits for this vulnerability. We will note this in the NSDB.

  • The Accessibility Object for AS2 is returning a false positive for AS2 with IE10 on Windows 8 Pro.

    There is an issue with the our legacy content player, which is written in Flash Actionscript 1 & 2.  This
    player behaves fine in most browsers on most platforms, but in IE10 on Windows 8 it doesn't work
    properly.
    Internet Explorer 110
    Version:  10.0.9200.16688
    Update Version:  10.0.9 (KB2870699)
    Windows 8 Pro
    This seems to because of the Flash engine's Accessibility object using the Microsoft Active
    Accessibility (MSAA) API to detect the presence of Screen Readers.  This detection is creating a false
    positive on Windows 8 machines and that may be due to the touch screen support on that platform.  This
    doesn't appear to be occuring with Chrome or Firefox on the same platform; however.  So I suspect that
    IE or IE's Flash compenent is doing something different than these other browsers.

    This is legacy code and is too close to its end-of-life to justify porting to AS3.  As far as a work-around I am already looking into it. I was hoping that someone had already encountered this issue and created a work-around.  This would have saved time.
    Any other takers?

  • False positive for Windows RPC DCOM Overflow id=3327 version=S188

    Hi,
    Could you take a look at the below capture to see if there is false positive at work.
    Thanks,
    Matt
    signature: description=Windows RPC DCOM Overflow id=3327 version=S188
    subsigId: 6
    sigDetails: \\\x3c400 chars>\
    interfaceGroup:
    vlan: 0
    participants:
    attacker:
    addr: locality=INTERNAL <address removed>
    port: 1914
    target:
    addr: locality=INTERNAL <address removed>
    port: 445
    context:
    fromTarget:
    000000 63 00 5F 00 66 00 73 00 2E 00 6E 00 6F 00 72 00 c._.f.s...n.o.r.
    000010 74 00 68 00 62 00 61 00 79 00 62 00 61 00 6E 00 t.h.b.a.y.b.a.n.
    000020 63 00 6F 00 72 00 70 00 2E 00 63 00 6F 00 6D 00 c.o.r.p...c.o.m.
    000030 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 ....W.i.n.d.o.w.
    000040 73 00 20 00 35 00 2E 00 30 00 00 00 57 00 69 00 s. .5...0...W.i.
    000050 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 n.d.o.w.s. .2.0.
    000060 30 00 30 00 20 00 4C 00 41 00 4E 00 20 00 4D 00 0.0. .L.A.N. .M.
    000070 61 00 6E 00 61 00 67 00 65 00 72 00 00 00 00 00 a.n.a.g.e.r.....
    000080 00 7E FF 53 4D 42 73 00 00 00 00 98 07 C8 00 00 .~.SMBs.........
    000090 00 00 00 00 00 00 00 00 00 00 00 00 FF FE 00 48 ...............H
    0000A0 C0 3E 04 FF 00 7E 00 00 00 09 00 53 00 A1 07 30 .>...~.....S...0
    0000B0 05 A0 03 0A 01 00 57 00 69 00 6E 00 64 00 6F 00 ......W.i.n.d.o.
    0000C0 77 00 73 00 20 00 35 00 2E 00 30 00 00 00 57 00 w.s. .5...0...W.
    0000D0 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 i.n.d.o.w.s. .2.
    0000E0 30 00 30 00 30 00 20 00 4C 00 41 00 4E 00 20 00 0.0.0. .L.A.N. .
    0000F0 4D 00 61 00 6E 00 61 00 67 00 65 00 72 00 00 00 M.a.n.a.g.e.r...
    fromAttacker:
    000000 00 04 41 32 00 01 00 00 00 00 00 71 00 00 00 00 ..A2.......q....
    000010 00 D4 00 00 80 B9 00 A1 6F 30 6D A2 6B 04 69 4E ........o0m.k.iN
    000020 54 4C 4D 53 53 50 00 03 00 00 00 01 00 01 00 58 TLMSSP.........X
    000030 00 00 00 00 00 00 00 59 00 00 00 00 00 00 00 48 .......Y.......H
    000040 00 00 00 00 00 00 00 48 00 00 00 10 00 10 00 48 .......H.......H
    000050 00 00 00 10 00 10 00 59 00 00 00 15 8A 88 E2 05 .......Y........
    000060 00 93 08 00 00 00 0F 47 00 57 00 2D 00 30 00 30 .......G.W.-.0.0
    000070 00 32 00 38 00 37 00 00 46 5A 5E 7D 09 B9 25 FB .2.8.7..FZ^}..%.
    000080 EF 1F 07 DE BD 60 85 13 57 00 69 00 6E 00 64 00 .....`..W.i.n.d.
    000090 6F 00 77 00 73 00 20 00 32 00 30 00 30 00 30 00 o.w.s. .2.0.0.0.
    0000A0 20 00 32 00 31 00 39 00 35 00 00 00 57 00 69 00 .2.1.9.5...W.i.
    0000B0 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 n.d.o.w.s. .2.0.
    0000C0 30 00 30 00 20 00 35 00 2E 00 30 00 00 00 00 00 0.0. .5...0.....
    0000D0 00 00 00 58 FF 53 4D 42 75 00 00 00 00 18 07 C8 ...X.SMBu.......
    0000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FE ................
    0000F0 00 48 00 3F 04 FF 00 58 00 08 00 01 00 2D 00 00 .H.?...X.....-..

    This is indeed a false positive. You can either filter out trusted hosts or create a metasignature using this signature as a component to reduce the chance of false positives.
    Tune signature 3327-6 and remove the produce alert action.
    Create a custom signature as follows:
    Engine Meta
    Component list:
    3327-6
    3328-0
    Meta-reset-interval = 2
    Severity high
    Summarize
    Met-key = Axxx – 1 unique victim
    Component-list-in order = false
    Event action: produce alert
    This signature will only fire when signatures 3327-6 and 3328-0 fire. Since 3327-6 would have no event action of its own you would not see alerts from it.
    Note that this signature does not have as high fidelity as the original 3327-6, that being said signature 3327-0 detects almost all public exploits for this vulnerability. We will note this in the NSDB.

  • Fix for GNU bash vulnerability CSCur05454 in Instant Messaging & presence server available?

    Hello,
    bug reports says 'Status: fixes' but I cannot find a patch for IM&P.
    any information abaout that?
    Juergen

    The Readme document of the CUCM IM&P 10.5 Bash Environment Variable Patch.
    http://software.cisco.com/download/release.html?mdfid=286269517&flowid=50462&softwareid=282074312&release=UTILS&relind=AVAILABLE&rellifecycle=&reltype=latest (registered users only)
    states :
    This package will install on the following System Versions: 
      - 8.6.4.10000-28 or any higher version starting with 8.6.4.xxxxx 
     - 8.6.5.10000-12 or any higher version starting with 8.6.5.xxxxx
     - 9.1.1.10000-8 or any higher version starting with 9.1.1.xxxxx 
     - 10.0.1.10000-26 or any higher version starting with 10.0.1.xxxxx 
     - 10.5.1.10000-9 or any higher version starting with 10.5.1.xxxxx 
    So the answer for you is : you should have at least/upgrade to 8.6.4.10000-28 and then apply the patch.
    Regards.

  • [security] php 5.2.0 update (remote code execution)

    Hi!
    I just throw together an updated PHP package for those of you who want to patch your web servers against the advisory released yesterday.
    The package is available here:
    http://adiza.nexticom.net/files/package … pkg.tar.gz
    The advisory is available here:
    http://www.frsirt.com/english/advisories/2006/4317
    Note that it is without IMAP and ODBC support since i did not have these packages installed.
    Greets.

    cactus wrote:mhakali. I applaud your attention to security.
    However, it is generally not well received to post the same thing in multiple categories..
    Yes. Please do not cross-post: http://bbs.archlinux.org/viewtopic.php?p=205922
    Use the above  thread for discussion.
    Locking.

  • CSCus68798 - ISE is vulnerable to CVE-2015-0235 Linux Ghost remote code execution

    First time trying to follow a specific CVE in Real-Time...
    I see this CVE-2015-0235 GHOST hack is applicable to ISE and Prime Infrastructure... but I haven't seen any patch status update since yesterday.
    CSA says "Obtaining Fixed Software
    Cisco has released free software updates that address the vulnerability described in this advisory."
    Yet, when I check the (2) products' download pages, the newest software I see is from Jan 23 and Jan 6, respectively. The exploit was published on Jan 27. So, where are the patches?

    The team that found the exploit, Qualys Security Advisory, documented that "the most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example."  See the link below for the full report:
    https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
    I'm assuming this is affecting all versions of UC appliances running these OS's (and possibly more that aren't used in the example?).  Anyone know how to determine what products are vulnerable to this?

  • MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014

    I have a server 2008 R2, with NO Service Pack 1 installed.
    Will this https://support.microsoft.com/kb/2992611 patch still be applicable for me to install? It says not.
    But is the system vulnarable? And Do I have to install Service Pack 1 to NOT be vulnarable anymore?

    I have a server 2008 R2, with NO Service Pack 1 installed.
    Well, that's your VERY FIRST problem. You MUST have Service Pack 1 installed to receive ANY update published since early 2013.
    Will this https://support.microsoft.com/kb/2992611 patch still be applicable for me to install?
    No.
    But is the system vulnarable?
    Absolutely!!! Not to mention vulnerable to several dozen other security vulnerabilities patched in the past year and a half.
    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

  • Security update for Bios 2.29 for T440 / T440s - what was the vulnerabil​ity?

    Hi,
    Can someone please share what the security vulnerability was for yesterday's bios?
    Version 2.29
    UEFI: 2.29 / ECP: 1.09
    (Fix) Fixed security vulnerability.
    (Fix) Fixed an issue that HDD partition data might not be captured by some UEFI application.

    Thanks for the input however I disagree. All security exploits should be exposed except under certain conditions.  Reading below, I do not believe it meets these conditions. This is what I found.  I would like to know what has been changed in case a security flaw affected my data etc.  To me it looks like they just don't want rollbacks of firmware as there was a security flaw in a previous firmware?
    - If the UEFI BIOS has been updated to version 2.29 or higher, it is no longer
    able to roll back to the version before 2.29 for security improvement.

  • What is happening about: The GNU Bourne Again Shell (Bash) is a command line utility widely used in many Unix-based operating systems including Linux and OS X.  Researchers have discovered a critical flaw in Bash which could allow remote code executi

    Authoritative advice today:
    The GNU Bourne Again Shell (Bash) is a command line utility widely used in many Unix-based operating systems including Linux and OS X.
    Researchers have discovered a critical flaw in Bash which could allow remote code execution by an unauthenticated user
    APPLE response?

    Also see:
    http://www.macrumors.com/2014/09/26/apple-os-x-users-safe-bash-flaw-update-soon/
    If you are not running a web server
    If you have not enabled CUPS web interface
    If you do not allow anonymous users to ssh into your Mac.
    If all are no, they you are not at risk.
    This IS a very serious bug for web servers, but the typical consumer Mac user is not at risk.

Maybe you are looking for

  • Images are cutted and youtube-videos are breaking down in ie7, ie8

    hi muse-experts, have the problem, that some images are cutted in ie7, ie8. the side is now working on businesscatalyst and another server. images are cutted here on bc: http://trabbitour.businesscatalyst.com/angebote.html , http://trabbitour.busines

  • Zoom out problem

    helllo, i have problem of image quality when i m doing the zoominh operation. when i was doing the zoom out the quality of the image get blur.. i have nt getign the proper clear image.. bi = compat ? getCompatibleImage(zoomW, zoomH): new BufferedImag

  • Background engine

    Hello my friends, I'm developing forms & reports on windows 98. When i call reports (in forms menu), i all ways have background engine running. I can't do anything unless i close it. It creates also a file telling me when i run reports and when it's

  • There is a vertical line on right side of iphone 4, is it a hardware problem?

    I recently bought an iphone 4 at at&t a week ago and I noticed there is a straight vertical line on the right side of the screen that is very thin.  However, the line changes different colors going from purpe, red and blue, and it is also clearly not

  • Servlets+Excel Question

    Hi I have a requirement where in i am passing usernames to a servlet and using these usernames i have to generate excel sheet for each of the users in a single excel book. Each of the excel must be a seperate sheet in the book. How do we do this usin