OS-OTHER Bash CGI environment variable injection attempt
These alerts are triggered when detecting an attempt to exploit the Bash Shellshock vulnerability via CGI scripts on a web server. The Bash Shellshock vulnerability is a severe security flaw in the Unix Bash shell that, when exploited, allows an attacker to execute arbitrary commands on a vulnerable system, potentially gaining unauthorized access or control.
ID Number
31976
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server established; content:"() {"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop policy max-detect-ips drop policy security-ips drop ruleset community service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31976; rev:5;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to quarantine the affected system to prevent potential lateral movement within the network. Then, apply the latest security patches or updates to the Bash shell to mitigate the vulnerability and conduct a thorough investigation to assess if any compromise or data breach occurred.