18 Replies Latest reply: Sep 30, 2014 11:09 AM by Rancor RSS

CVE-2014-6271 Detection

Novice
Visibility: Open to anyone

Will we see a plugin to detect the vulnerability described in CVE-2014-6271? I have not performed enough research to see if remote detection is possible.

  • Re: CVE-2014-6271 Detection
    Guru

    John strickland wrote:

     

    Will we see a plugin to detect the vulnerability described in CVE-2014-6271? I have not performed enough research to see if remote detection is possible.

     

    We should have several plugins available in the feed in 3-4 hours, John. One will be a remote unsafe check to test for the vulnerability via a web server, a second will be a credentialed check to test for the vulnerability via an SSH service, and a third will be a credentialed check that looks for the update Red Hat published earlier today.  Expects similar local, credentialed checks to follow in the coming days as other distros publish their own fixes.

     

    George

  • Re: CVE-2014-6271 Detection
    Novice

    Thank you George,

     

    Your team is always on the ball. I was just asking for information because, as you know, my management will be asking how vulnerable we are.

  • Re: CVE-2014-6271 Detection
    Novice

    George

    Are there any suggested policy/scan settings, or should the defaults be sufficient?

  • Re: CVE-2014-6271 Detection
    Novice

    Any success detecting remotely?

    • Re: CVE-2014-6271 Detection
      Novice

      Im not having any luck detecting the vulnerability remotely at this moment. I am attempting to create a scan template with only the two plugins enabled. Thus far the scans come up clean, even though I am testing against a system which should be affected.

      • Re: Re: CVE-2014-6271 Detection

        All,

         

        It appears that the scans for the bash vulnerability have to be run with credentials to provide results. I have confirmed this through trial and error...scanning all of my systems with and without credentials.

         

        My question for the Tenable team is this:  Is there any particular reason that the scans for the bash vuln have to be run with credentials? The remote attackers don't need credentials, so I was curious as to why the scans appear to necessitate them.

         

        Thank you for your time.

  • Re: CVE-2014-6271 Detection

    Has the plugin been updated?

    • Re: Re: CVE-2014-6271 Detection

      Hello,

       

      We also had in problems with the detection of this plugin.

       

      We tested with vulnerable and manually exploitable VM and Nessus was unable to detect the vuln with current plugin.

       

      We monitored the actions of the plugin and we notice a probably anomalous behavior of the script 77829.

      This script related to the CVE-2014-6271 seems responsible of the execution of the poc exploit over the different cgi path and extensions.

       

      I can currently confirm to you that also our nessus scan tests with latest plugin and using the shellshock policy wizard were unable to detect this simple and exploitable vulnerability.

      This is of big concern because it means that current nessus scans are probably unreliable in detecting this risk on many many systems.

       

      Beside this, I already opened a ticket with some details about the problem and I hope we will soon receive news from Tenable in regard.

       

      Best Regards

    • Re: CVE-2014-6271 Detection
      Novice

      FYI

       

      I debugged heavily the plugin this weekend and found some possible ways of improvement regarding the crawling and exploit execution over cgi.

       

      The non detection is due to the plugin timeout and kb_list size/depth.

       

      Our test case over metasploitable finally worked.

      For who is in deep pain like we were, the trick is to tune webmirror depth and policy plugin timeout to let the exploit tests fully run.

      If in doubt test and check destination victim webserver logs to analyze behaviour.

       

      From what i know, tenable was already aware of needed improvement.

      Anyway I delivered the debug and testing information to Tenable via the support and I hope they will react fast in the matter.

       

      All the best,

      Keep Scanning!

       

      Ivan Bonacci

      RadarServices GmbH