Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Shellshock Vulnerability (Are any Kerio products vulnerable?)
  •  
erikv

Messages: 16
Karma: -5
Send a private message to this user
Is it possible to detect malicious traffic passing thru a Control firewall to mitigate this vulnerability?
  •  
bhancepdx

Messages: 3
Karma: 0
Send a private message to this user
There is a basic Shell shock snort rule out from volexity dot com

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Volex Possible CVE-2014-6271 bash Vulnerability Requested (header) "; flow:established,to_server; content:"() {"; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)

I have tested this in KWF by editing snort's used.rules and then verifying that tests from shellshock detectify dot com are ID'd.

This of course is testing for a very basic string and is not a comprehensive rule.

Right now this alert doesn't appear in the SNORT rules being pulled to my kerio and have to be inserted manually. I'm trying to determine when the SNORT rules rolled out to Kerio Firewall will contain a SHELLSHOCK rule
  •  
bhancepdx

Messages: 3
Karma: 0
Send a private message to this user
A second update:

Snort community rules now contain 4 rules for "OS-OTHER Bash CGI environment variable injection attempt"

They are:
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"%3D%28%29+%7B"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31975; rev:3;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31976; rev:3;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31977; rev:3;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31978; rev:3;)


  •  
erikv

Messages: 16
Karma: -5
Send a private message to this user
Are these 4 rules being used/downloaded by Control firewall?
  •  
bhancepdx

Messages: 3
Karma: 0
Send a private message to this user
Not that I am aware of, no. My latest update did not contain them.

I'm testing manual edits, and getting around the way Kerio manages its internal link between sort rules and high/medium/low threats by doing this:

1) ID'ing 2 "drop" rules with "high" threat standing -- specifically these

SID:3000001
SID:2019147

2) Deleting the 2 rules with these SID's from the Kerio used.rules file

Adding these two test rules:

drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ShellShock Possible CVE-2014-6271 bash Vulnerability Requested (header) "; flow:established,to_server; content:"%3D%28%29+%7B"; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:2019147;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ShellShock Possible CVE-2014-6271 bash Vulnerability Requested (header) "; flow:established,to_server; content:"() {"; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:3000001;)


When I do this, and test with shellshock dot brandonpotter dot com, I get these in my security logs:

[26/Sep/2014 12:07:20] IPS: Packet drop, severity: High, Rule ID: 1:3000001 KERIO IPS Test Signature - High Severity, proto:TCP, ip/port:75.127.84.182:55961 (hrtoolbox.com) -> 10.0.41.200:80
[26/Sep/2014 12:09:20] IPS: Packet drop, severity: High, Rule ID: 1:3000001 KERIO IPS Test Signature - High Severity, proto:TCP, ip/port:75.127.84.182:49339 (hrtoolbox.com) -> 10.0.41.200:80

Note that it says "KERIO IPS Test Signature" and not "ShellShock Possible CVE-2014-6271 bash Vulnerability Requested (header)" because I stole SID 3000001 from the "KERIO IPS Test Signature"

I don't recommend doing this. I am just testing, and I am making some assumption
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
Kerio Control box is not vulnerable TO Shell Shock.

Details about this vulnerability and its impact on Kerio products can be found at http://tinyurl.com/KerioShellShock

Interesting modification you are doing with Snort, if it works on your environment, please do post in the forums to benefit other Kerio Control users.

M.

Edit: Added URL for more info.

[Updated on: Mon, 29 September 2014 07:34]


PTSD. BP. OCD. ASPD. BPD. Certified.
Previous Topic: Fair QoS desired feature
Next Topic: Users get UDP traffic is probably blocked message lots of times
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 13:33:28 CEST 2017

Total time taken to generate the page: 0.00439 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.