긴급송부 보안경고 코드인젝션 취약점관련금융회사자체점검및패치적용권고 보안서비스본부민상식팀장, 조병열인턴 / 개요 코드인젝션취약점이발견됨 에따라조속한 조치가요구되므로이를전파함 위험도및긴급도 구분 위험도 긴급도 등급 상 상 취약점내용 명령인젝션취약점 일

긴급송부 보안경고 코드인젝션 취약점관련금융회사자체점검및패치적용권고 보안서비스본부민상식팀장, 조병열인턴 / 2014. 9. 30 개요 코드인젝션취약점이발견됨 에따라조속한 조치가요구되므로이를전파함 위험도및긴급도 구분 위험도 긴급도 등급 상 상 취약점내용 명령인젝션취약점 일명 보안업데이트가불완전하여여전히취약점존재 원격지에서 공격등이가능한취약점 구분 공격위협 영향받는소프트웨어 내용 계정의기본쉘이 쉘이고 취약한버전을사용하고있을경우 현재까지나온 이하모두취약 취약점에의한원격지또는내부자에의한공격이가능하므로관리자의조치필요 이하버전을사용하는시스템 리눅스 등 를기본으로시용하는운영체제또는 등 쉘이기본쉘은아니지만설정에의해이용할수있는운영체제 명령어가실행가능한모든서비스에서코드인젝션 기타공격가능 해당취약점을이용한 코드가공개됨 해당취약점을이용한공격이해외에서발견됨 쉘의종류에는 Bourne Shell(sh, 1977년 Unix V7의기본쉘 ), C Shell(csh, 1978년발표 ), Korn Shell(ksh, 1983년발표 ),GNU Bourne-Again Shell(bash, 1989년발표 ) 등이있음. AIX는 Bourne Shell(version 3까지 ) 과 Korn Shell(version 4) 를기본쉘로이용 1) 2014 년 9 월 24 일 ( 미국현지기준 ) 취약점내용이공개됨 2) http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-6271 ( 미국현지시간으로 9.24 발표 ) 3) http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7169 ( 미국현지시간으로 9.24 발표 ) 4) http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7186 ( 미국현지시간으로 9.28 발표 ) 5) http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7187 ( 미국현지시간으로 9.28 발표 ) Copyrightc Financial Security Agency. - 1 -

대응권고사항 긴급조치권고 를실행시키는계정의기본쉘이 이고 모듈을활용하는경우원격지에서악의적인코드실행이가능하고 원격지에서 공격이가능한취약점이추가로발견되어서비스거부공격등의위협이있어 쉘을기본쉘로이용하고있는계정으로 중요서비스프로그램 웹서버실행 서비스프로그램실행등 을실행시키는경우긴급한패치가필요함 금융회사외부에서원격공격가능성이있어즉시관련조치를수행할필요가있음 ( 각계정의기본쉘을조사하여 bash인경우를파악하고, 계정이수행하는역할을 일반대응권고 금융회사외부에서원격공격은어려우나해당취약점에대한패치계획을수립하고업데이트를수행할필요가있음 외부에서금융회사서버로 접근 이가능하고 해커가계정정보까지알고있는경우 제한된명령만실행가능하게하는 제약을우회할수있음 서버에악의적코드가추가된경우 취약점에의해다수의 장비에서동시에임의의명령이실행될수있음 서버에접근이가능한내부자가 권한을가지는데몬 에서쉘스크립트를실행할수있는경우 이취약점을이용하여데몬의권한으로임의의명령을실행할수있음 6) https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ Copyrightc Financial Security Agency. - 2 -

현시점에서대응방안 보안업데이트 쉘관련패치실시 네트워크방어 등의방어장비를이용하여원격지에서들어오는 관련취약점공격방어를위한룰 업데이트 무선 AP, 네트워크장비에서 Bash 쉘을이용하는경우에대하여상세확인이필요할것으로보임 서버설정변경 불필요한 관련기능은 서버설정변경 쉘을다른쉘로변경하여이용하는것도가능하나추가적인영향을신중히고려하여야함 Copyrightc Financial Security Agency. - 3 -

[ 붙임 1] Bash 쉘취약점관련상세점검및대응방안 7) Bash 쉘이용여부확인 이용중인쉘종류확인 $ echo $SHELL /bin/bash 이용하는경우버전확인 GNU Bash 4.3 및이전버전이면취약 bash -v 또는 bash version 또는 echo $BASH_VERSION 명령어입력 ( 예시 ) $ echo $BASH_VERSION 4.2.37(1)-release CVE-2014-6271, CVE-2014-7169 취약점확인방법 취약점점검방법 [ 명령어입력 ] env x='() { :;}; echo VULNERABLE' bash -c : [ 결과 ] - 취약한경우 VULNERABLE <Mac OS X 취약점확인사례 8) > [ 결과 ] - 패치된경우 bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' 취약점점검방법 기준예제 [ 명령어입력 ] cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo 7) KISA 취약점분석팀 GNU Bash 원격명령실행취약점대응방안권고, 2014.9.26 자료일부인용 http://boho.or.kr/upload/file/epf854.pdf 8) http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/ 9) https://access.redhat.com/articles/1200223 Copyrightc Financial Security Agency. - 4 -

[ 결과 ] - 취약한경우 bash: x: line 1: syntax error near unexpected token `=' bash: x: line 1: `' bash: error importing function definition for `x' Fri Sep 26 11:49:58 GMT 2014 <Mac OS X 취약점확인사례 10) > [ 결과 ] - 패치된경우 date cat: /tmp/echo: No such file or directory 취약점점검방법 조사중 운영체제별 상세패치정보 CVE-2014-6271, CVE-2014-7169 패치 : bash-4.3-8, 4.2-16 CVE-2014-6271 만패치 : bash-4.3-7, 4.2-15, 4.1-9 ( 상세정보는로그인계정필요 ) 발표 CVE-2014-6271, CVE-2014-7169 패치 ( 공식홈페이지아님 ) 10) http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/ 11) https://h20565.www2.hp.com/portal/site/hpsc/template.page/public/kb/docdisplay/?spf_p.tpst=kbdocdi splay&spf_p.prp_kbdocdisplay=wsrp-navigationalstate%3ddocid%253demr_na-c04466552-1%257cdocloc ale%253d%257ccalledby%253d&javax.portlet.begcachetok=com.vignette.cachetoken&javax.portlet.endcac hetok=com.vignette.cachetoken Copyrightc Financial Security Agency. - 5 -

(OS X bash Update 1.0, 현지시각 9.29 발표, OS X Mavericks v10.9.5 or later) 취약점업데이트방법 ( 리눅스 OS) 리눅스종류별업데이트방법 다른 는위의링크참조 종류내용 pkg info bash FreeBSD pkg upgrade bash CentOS yum clean al && yum update bash Redhat yum clean al && yum update bash Ubuntu sudo apt-get update sudo apt-get instal?only-upgrade bash (1) 페도라 21 알파 su -c "yum -y instal koji" koji download-build -arch=$(uname -m) bash-4.3.25-2.fc21 su -c "yum localinstal bash-4.3.25-2.fc21.$(uname?m).rpm" (2) 페도라 20 su -c "yum -y instal koji" Fedora koji download-build -arch=$(uname -m) bash-4.2.48-2.fc20 su -c "yum localinstal bash-4.2.48-2.fc20.$(uname -m).rpm" (3) 페도라 19 su -c "yum -y instal koji" koji download-build -arch=$(uname -m) bash-4.2.48-2.fc19 su -c "yum localinstal bash-4.2.48-2.fc19.$(uname -m).rpm" Oracle Linux yum list-security grep bash 현재 Bash 버전에따라취약점 2가지중 1가지만패치된경우가있음을주의 네트워크탐지룰설정방법 [Suricata Format] alert http $EXTERNAL_NET any -> $HOME_NET any (msg: Volex? Possible CVE-2014-6271 bash Vulnerability Requested (header) ; flow:established,to_server; content: () { ; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;) 12) 출처 : http://www.volexity.com/blog/?p=19 Copyrightc Financial Security Agency. - 6 -

[Snort Format] alert tcp $EXTERNAL_NET any -> $HOME_NET $HTP_PORTS (msg: Volex? Posible CVE-2014-6271 bash Vulnerabilty Requested (header) ; flow:established,to_server; content: () { ; htp_header; threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;) Suricata, Snort 는오픈소스 IDS/IPS/NMS 임 13) < 내부 Ping 스캔명령예시 14) > 13) Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine, Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) created by Martin Roesch in 1998 14) http://blog.securityonion.net/2014/09/bash-vulnerability-part-3.html?m=1 Copyrightc Financial Security Agency. - 7 -

[ 붙임 2] 해당취약점관련참고정보정리 보안취약점상세정보 o CVE-2014-6271 취약점정보 bash 쉘을통한원격코드 ( 정확히는명령 ) 실행취약점 GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-6271 - [CVE-2014-6271] GNU Bash 원격코드인젝션취약점 - (Apache 서버취약점관련 ) http://hacksum.net/vuln/cve-2014-6271-gnu-bash-gnu-bash- 원격코드 - 인젝션 - 취약점 / - [CVE-2014-6271] ShellShock Remote Code Execution Vulnerability (SSH 관련 ) http://forensic.n0fate.com/?p=1256 - [CVE-2014-6271] Shellshock DHCP RCE Proof of Concept (DHCP 관련 ) https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ o CVE-2014-7169 취약점정보 bash 쉘을통한원격코드 ( 정확히는명령 ) 실행취약점 GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7169 o CVE-2014-7186 취약점정보 원격지에서 DOS 공격등이가능 The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue. Copyrightc Financial Security Agency. - 8 -

http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7186 o CVE-2014-7187 취약점정보 원격지에서 DOS 공격등이가능 Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue. http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7187 보안경고및관련기사 o [KISA] Bourne Again Shell (Bash) 임의코드실행취약점보안업데이트권고 (2차) 2014.09.26 http://krcert.or.kr/kor/data/secnoticeview.jsp?p_bulletin_writing_sequence=21984 http://boho.or.kr/upload/file/epf854.pdf Copyrightc Financial Security Agency. - 9 -

[ 붙임 3] CVE-2014-6271 설명 (Easy Version) Copyrightc Financial Security Agency. - 10 -