This morning our PAs began blocking internal Sharepoint document access with App-ID 36995. The traffic that is blocked is coming from IE11 + Windows 7 clients.
I'm not sure why this bash vulnerability is being flagged as affecting Windows servers + clients in this case. Anyone have ideas?
Shellshock is a fancy name for specially crafted packets in client-to-server communication that are trying to exploit bash and could lead to execution of arbitrary commands on the server.
If you have your own trusted hosts on the originating side (if this is from your own network as you are suggesting) I would definitely open a case with TAC and see if this is a false positive or you might have compromised hosts in your network that are trying to enumerate / exploit servers within. If it is False Positive - PAN needs to solve it; if it is not False Positive than some probes for vulnerable bash inside of your network would be considered indicators of compromise.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!