CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

Reply
Highlighted
L1 Bithead

CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

This morning our PAs began blocking internal Sharepoint document access with App-ID 36995. The traffic that is blocked is coming from IE11 + Windows 7 clients.

 

I'm not sure why this bash vulnerability is being flagged as affecting Windows servers + clients in this case. Anyone have ideas?

 


Accepted Solutions
Highlighted
L3 Networker

Re: CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

It's blocking it because of a vulnerability called an arbitrary code execution exploit. Most of these vulnerabilities allow the execution of machine code which may allow the attacker to run arbitary commands.

View solution in original post


All Replies
Highlighted
L3 Networker

Re: CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

It's blocking it because of a vulnerability called an arbitrary code execution exploit. Most of these vulnerabilities allow the execution of machine code which may allow the attacker to run arbitary commands.

View solution in original post

Highlighted
L3 Networker

Re: CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

It's also vulnerable to injection and execution of shell code

Highlighted
L1 Bithead

Re: CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

Thanks for the reply. Any ideas how to mitigate/address this? Admittedly, I'm not sure what can be done on the client-side to allow for the traffic/access to be non-exploitable.

Highlighted
L3 Networker

Re: CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

The default action is set to Alert to allow administrators to choose their desired action.

Highlighted
L1 Bithead

Re: CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

Thanks. Looks like it may be unpatched Office clients triggering this from my inspection/testing.

Highlighted
L5 Sessionator

Re: CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

Hi Khang,

 

Shellshock is a fancy name for specially crafted packets in client-to-server communication that are trying to exploit bash and could lead to execution of arbitrary commands on the server.

 

If you have your own trusted hosts on the originating side (if this is from your own network as you are suggesting) I would definitely open a case with TAC and see if this is a false positive or you might have compromised hosts in your network that are trying to enumerate / exploit servers within. If it is False Positive - PAN needs to solve it; if it is not False Positive than some probes for vulnerable bash inside of your network would be considered indicators of compromise.

 

Best regards,

Luciano

Highlighted
L1 Bithead

Re: CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

Thanks for the reply. I did some testing with the Sharepoint document access traffic from patched Windows workstations and they're not triggering the PA alerts/blocking so I chalk this up to the desktops not being patched yet. 

Highlighted
L2 Linker

Re: CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

Hi,

 

What components were unpatched? Windows, IE or Office?

 

Have several clients alerting on this in morning. Destination is 2 sharepoint servers on the LAN and 1 residning in one-drive.

 

Upgraded our HA to 7.0.5h2 two days ago.

Highlighted
L1 Bithead

Re: CVE-2014-6271 Shellshock rules blocking Sharepoint traffic?

Office components weren't updated.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!