Imperva Security Response for CVE-2014-6271 (AKA "Shellshock")

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment

Revision History
Date Comment
09/25/2014 Initial Version
09/30/2014 Added availability dates for ADC content

Status Summary
  • Organizations can mitigate this vulnerability by using Imperva SecureSphere WAF (See Protecting Applications below for details).
  • SecureSphere is not impacted by this vulnerability.
  • Best practices dictate that the SecureSphere management port should not be exposed externally.

1) Protecting Applications:

Imperva customers can use SecureSphere WAF to protect vulnerable applications as follows:
  • Imperva’s Application Defense Center (ADC) has produced signatures that can mitigate this vulnerability for affected applications. Details of the signature are available from Imperva Support. On 9/29/2014, the ADC released additional signatures to Imperva Support.
  • ADC content with built-in signatures will be available 10/05/2014.

2) Affected Imperva Products:
  • None.
Not affected Imperva Products:
The following versions or products are not vulnerable:
  • SecureSphere 9.0, 9.5, 10.0, 10.5, ThreatRadar Service

Description

SecureSphere is not affected by this vulnerability. The SecureSphere platform does use GNU bash. However, this vulnerability relies upon SSH access, and any SSH access to SecureSphere requires privileged access. Therefore, this privilege escalation vulnerability will not grant any additional privileges to such users, as they would already have “root” level access.

Also, the SecureSphere management server does not use the application components (known as “mod_cgi” and “mod_cgid”), that would be required to exploit this vulnerability on SecureSphere management servers.

Finally, note that best practices dictate that the SecureSphere management port should not be exposed outside the organization.


Vendor Fix

No fix needed. However, Imperva will update the affected components in an upcoming patch release.


References

National vulnerability Database Listing: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271