cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1322
Views
0
Helpful
7
Replies

False Positive on Sig 4689/1 Bash Environment Variable Command Injection

mhanson2004
Level 1
Level 1

I am seeing what I believe is false positives on Sig 4689/1 outbound from our network. When I look at the traffic capture from events it does not seem to match inbound traffic events that fire on the same signature. The inbound traffic looks very much like what I think is the exploit code for the Bash injection vulnerability. 

 

Any one else seeing this on their systems?

 

Mike

7 Replies 7

John Buchinsky
Level 1
Level 1

I'm seeing things like this. Whenever I look up the victim IPs they resolve to Amazon servers. It looks like a false positive to me also.

event_id = 1360033965674082135

severity = high

device_name = xxxxxxx

app_name = sensorApp

receive_time = 09/28/2014  06:32:59

event_time = 09/28/2014 10:33:29

sensor_local_time = 09/28/2014 06:33:29

sig_id = 4689

subsig_id = 1

sig_name = Bash Environment Variable Command Injection sig_details = CVE-2014-6271 sig_version = S824 attacker_ip = xxx.xxx.xxx.xxx attacker_port = 50986 attacker_locality = OUT victim_ip = 54.204.5.190 victim_port = 80 victim_os = unknown unknown (relevant) victim_locality = OUT summary_count = 0 initial_alert_id = summary_type = is_final_alert = interface = GigabitEthernet0/1 vlan = 0 virtual_sensor = vs0 context = bGVicml0eWJhYmllcy5wZW9wbGUuY29tJTdDYWlkJTNEMjA4OTQ1JTdDY2glM0RiYWJpZXMlN0NzY2glM0RuZXdzJTdDcHR5cGUlM0Rjb250ZW50JTdDY3R5cGUlM0RibG9nJTdDcGFnZSUzRDElN0NzdWJqJTNEYmFiaWVzJTJDa2FueWUtd2VzdCUyQ2tpbS1rYXJkYXNoaWFuJTJDbmV3cyU3Q2NlbGViJTNEJTdDdW5pcXVlJTNEZnVuY3Rpb24rKCkrJTdCJTBBKysrKysrKysrKysrdmFyK2ErJTNEKyU1QiU1RCUyQ2srJTNEKzAlMkNlJTNCJTBBKysrKw==$

actions = droppedPacket+deniedFlow+tcpOneWayResetSent

alert_details = InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; risk_rating_num = 100(TVR=medium ARR=relevant) threat_rating = 65 reputation = protocol = tcp

I am starting to think that these are not false positives but some sort of call back to the control servers. 

Can anyone from Cisco chime in on this and provide more information please?

Thank you.

Mike

How many are you getting? I've only gotten a handful. We've got maybe 1000 machines and I might have gotten 7-8 notices since Friday. I got a handful on Friday afternoon, 1-2 on Sunday, and none today. The most I've ever gotten per IP is 2 notices.

We checked one of the machines out on Friday after we got 2 notices on it but didn't see any kind of malware/rootkits and we haven't gotten anything since from that IP.

I was thinking maybe it's something like the SQL Query in HTTP Request false positives that come from some Yahoo/Facebook traffic.

We have gotten hundreds of the alerts. We are at a university, and I just figured out that some Mac machines are vulnerable to the bash exploit. 

I am wondering if these are the machines that are tripping the signature when they calling back to a C and C server?

I have also experiencing this kind of problem.

We already patched the internal attacker IP and the events are still appearing.

Victim IPs are mostly to Amazon.

shepp
Level 1
Level 1

in the example from jbuchinsky below, we see javascript embedded in a POST body argument

%3Dfunction+()+%7B%0A

 

a new version of sig 4689-1 will be released in S825 which tighten the sig to only catch ()+%7B immediately after an = instead of anywhere in the POST body, thus ignoring these cases of javascript sent in http requests

 

Also it will reduce the SFR to 85 so these packets will not be denied by default

Could you rephrase this explanation for a non-IT executive?

thx.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: