Super Contributor.
Super Contributor.
1320 views

Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

Dear all,

i have tested the CVE-2014-6271 bug (clasified as 10/10)  into an Arcsight Shell and it is vulnerable. I have opened a support case and contacted with my hp technical contact but without answer.

Do you have any usefull information regarding this?

Regards,

Blanca Rodriguez
SIEM Engineer
0 Likes
Reply
15 Replies
Highlighted
Absent Member.
Absent Member.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

The current patch for 6271 appears to be less than a complete fix: https://access.redhat.com/articles/1200223

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

Blanca,

Which systems have you tested this on?

Regards,

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

I have tested this on express 4.0 and it is vulnerable.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

This statement is vague. How about Connector Appliance?

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

ESM running on redhat is vulnerable and since its not in a contained environment, patches can be applied by the customer direct.

those appliances, like logger & connapp appliances, should wait for related patches once its released.

for software loggers and connapps, patching requirement depends largey on the host OS.

0 Likes
Reply
Highlighted
Super Contributor.
Super Contributor.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

Thank you all guys.

I was more concerned about CGI because it can lead to remote exploitation. As i understand the flaw can only be dangerous with a superuser credential so, connector appliances are less exposed since they need a call to support to gain privileged access.

I will wait fir the patchs then.

Blanca Rodriguez
SIEM Engineer
0 Likes
Reply
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

Express 3 and 4.0 should be patched as should ESM.

Although Express is an appliance, we do have full access to the OS so there is a risk in the official statement saying to wait for a patch for Express when we can patch it ourselves to mitigate the risk with no impact to the application.

My 2 cents.

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

Good point raised there about the "closed" appliance models.

For Logger, Connector Appliance and for certain licensed models of ArcMC appliances, there isn't usually direct access to SSH enabled. This is controlled by the license and you need to go through the challenge / response process to get access to the root user and login to the appliance. So it seems (and I need to verify) that these may be vulnerable, they are not directly attackable due to the SSH access being disabled by default and then only enabled through a challenge / response process. Once enabled however, it does seem that it is vulnerable.

Please note that for later models of Logger and ArcMC, it is possible to have SSH enabled by default and in this case, it is turned on. Therefore it should be reconfigured or modified to prevent privileged user access. It depends on the model and version, but please note that the ArcSight services part controls the SSHD service - so make sure you modify the correct sshd.config file. You can see it from the running services process from the /etc/init.d folder. There is a simple switch to prevent root access via SSH.

0 Likes
Reply
Highlighted
Super Contributor.
Super Contributor.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

Hey Paul,

I know people have probably asked but does HP have an ETA on the patch and there is another Vulnerability I believe rearing its ugly head as well (the full-on update of the BASH package kills two birds with one stone).

Thanks!

Logs, logs and more logs
0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Arcsight affected by Shellshock Bash bug (CVE-2014-6271)

Current information that I have is below:

Hopefully we will have something sooner, but worst case scenario is next week on monday morning. Please check on the link above for further updates and information on this. And Express and ESM appliances are included in this too, so we will provide updates accordingly. Logger, Connector Appliance and ArcMC appliances are the priority due to them being "closed", but we will do all appliances.

Please also note that we are tracking a number of issues here. What we have is a specific issue, which is what is being addressed, but the HP Security Research group is looking at a whole world of other possible vectors and scenarios. We have issued updates for TippingPoint already (actually a bunch of them) and I believe we will be doing Fortify and Webinspect shortly. The issue is that this might be the tip of a larger problem. I am not a security researcher, so I don't want to get it wrong, but take a look at the following for some more information from Jewel:

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/HP-Security-Research-GNU-Bash-vulnerability-quot-Shellshock-quot/ba-p/6630394#.VCX4ektx8zA

And some information from Fortify on this (Fortify on Demand already has scanning capability for it):

http://h30499.www3.hp.com/t5/Fortify-Application-Security/3-Things-to-Know-About-the-Shellshock-Vulnerability/ba-p/6630504#.VCX5Lktx8zA

Finally, we are aiming to have something to address this from a content point of view soon. Cant say much more than this, because this is actually a really complex scenario to pick out. From an ArcSight perspective, some of the vectors we can see the threat from logs. But for the other vectors, we might not see the logs, and this is the challenge. We will announce something when we can.

The good news is that HP is on it and working quickly to get some data, information, updates and patches. Just because we don't provide updates on the progress doesnt mean there isn't progress!

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.