Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1674 IBM Security QRadar Products: Installing the fix for CVE-2014-6271 26 September 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Security QRadar SIEM Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-6271 Reference: ASB-2014.0110 ESB-2014.1673 ESB-2014.1672 ESB-2014.1671 ESB-2014.1670 ESB-2014.1669 ESB-2014.1668 ESB-2014.1660 ESB-2014.1659 ESB-2014.1657 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21685439 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Security QRadar Products: Installing the fix for CVE-2014-6271 Flash (Alert) Document information More support for: IBM Security QRadar SIEM Installation Software version: 7.0, 7.1, 7.2 Operating system(s): Linux Reference #: 1685439 Modified date: 2014-09-25 Abstract A vulnerability exists in Bash as outlined in CVE-2014-6271 for QRadar systems that could result in remote code execution. These instructions define how to install the fix for CVE-2014-6271 in QRadar. Content An update has been released for QRadar to resolve CVE-2014-6271. This flash notice includes information about the vulnerability and how to install the fix on your QRadar system. VULNERABILITY DETAILS: CVE ID: CVE-2014-6271 DESCRIPTION: CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands. A flaw in GNU Bash 4.3 on Red Hat Enterprise system impacts IBM QRadar Security Information and Event Management (SIEM) systems. This vulnerability in GNU Bash could allow for remote commands to be run on the Console or managed hosts in the QRadar deployment. The attack does not require local network access or authentication. An exploit can compromise the confidentiality of information, the integrity of data and availability of the system. CVSS: CVSS Base Score: 10.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96153 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) AFFECTED PRODUCTS: IBM QRadar Security Appliances at 7.0.x, 7.1.x, and 7.2.x (all versions). REMEDIATION: The vulnerability can be fixed by installing the relevant Fix or FixPack released by QRadar development.. The script released to remediate this issue must be copied to and installed on every QRadar appliance in your deployment. This includes QRadar Consoles, managed hosts, and HA primary and HA secondary systems. FILE DOWNLOAD: The vulnerability has been fixed in the following script. The CVE-2014-6271.sh.gz script includes the necessary files required to update QRadar products to resolve CVE-2014-6271. Link to IBM Fix Central - https://ibm.biz/BdF9Ad (IBM shortened URL) WORKAROUNDS: None MITIGATION: None INSTALLATION PROCEDURE FOR STANDARD (NON-HA) APPLIANCES: Administrators should start by patching the Console appliance, then apply the patch to managed hosts in their networks. Any systems that are installed as HA pairs should see the HA instructions provided below. This update requires a system reboot. Procedure Download the CVE-2014-6271.sh.gz script from IBM Fix Central. This single file contains all of the software required to patch any version of QRadar SIEM (7.0.x, 7.1.x, or 7.2.x) Using SCP or WinSCP (for Windows systems), copy the script to your QRadar appliance. To extract the file, type the following command: gunzip CVE-2014-6271.sh.gz. To set the correct permission on this file, type the following comand: chmod +x CVE-2014-6271.sh. To run the script, type the following command: ./CVE-2014-6271.sh. The script updates the bash version to address CVE-2014-6271. After the rpm is installed you will be required to reboot your system. When the script has completed the update, the following message is displayed: COMPLETE. Type reboot and press Enter. Repeat this procedure for every QRadar appliance in your network. INSTALLATION PROCEDURE FOR HIGH-AVAILABILITY (HA) APPLIANCES: This installation procedure requires the administrator to first patch the secondary HA appliance. The secondary appliance must be patched and rebooted before the administrator can patch to the primary system. The administrator must force the primary to failover to the already patched secondary appliance to make the HA secondary active. The primary HA appliance can then by patched, rebooted, and set online. Procedure Download the CVE-2014-6271.sh.gz script from IBM Fix Central. This single file contains all of the software required to patch any version of QRadar SIEM (7.0.x, 7.1.x, or 7.2.x) Using SCP or WinSCP (for Windows systems), copy the script to the primary and secondary HA appliance. To extract the files, type the following command: gunzip CVE-2014-6271.sh.gz. To set the correct permission on this file, type the following comand: chmod +x CVE-2014-6271.sh. On your HA secondary system, type the following command to install the fix: ./CVE-2014-6271.sh The script updates bash to version bash-4.1.2-15.el6_5.1.x86_64 to address CVE-2014-6271. After the rpm is installed you will be required to reboot your system. When the script has completed the update, the following message is displayed: COMPLETE. Type reboot and press Enter to reboot the secondary HA appliance. IMPORTANT: You must wait for the HA secondary to reboot before you set the primary system offline. Log in to the QRadar Console. Click the Admin tab and select System and License Management icon. Select the HA primary system. From the toolbar, select High Availability > Set System Offline. This fails the the primary system and the secondary will enter the active state. From the command-line interface of the HA primary system, type the following command to install the fix: ./CVE-2014-6271.sh. The script updates the bash to version to address CVE-2014-6271. After the rpm is installed you will be required to reboot your system. When the script has completed the update, the following message is displayed: COMPLETE. Type reboot and press Enter to reboot the primary HA appliance. IMPORTANT: You must wait for the HA primary to reboot before you can set the primary system online. Click the Admin tab and select System and License Management icon. Select the HA primary system. From the toolbar, select High Availability > Set System Online. This sets the primary system active and the secondary will enter the standby state. ADDITIONAL INFORMATION: Any administrators who want to examine the script before they run the file on their system is free to review this update. However, any examination should take place from the Console or a Linux system to prevent file conversion issues between Windows systems and Linux that might prevent the script from launching as expected. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVCTtERLndAQH1ShLAQJiMg/+KfM1BSKBmiQCGo4Hc6w0ycHbE5PnZ/YC Uj5IBvgXOi1+A040PT8E2jg6ncavGklZmZC5xMd2Xu1rCg/q/O6cKzVFQvLCgis3 71n8GeUjUqwnvBB5N/lvQB2LfJYRfHv3IcqE2EonfNqCI6mtDv+WaO2qgCzekeTQ epHudGV9xg1cA7ZHs7vj6ttdSYYLmA1wKm9ybeEwWj/OyaRIV71R1X3iU6lYiTwT 9VVEqhIvVcbwpWp3VcK8Tus1RQQzo/cp3GCjCFOGpZW0wPlztoGuBhlLlanWr0Iv p0bNY2xoXV0THtIAKUijSy9p+Sfm1boRHG53ngVr2UaLc+z4+17tXx5fkYMi8+7D IlIpOCyOflaT6bQbE1E+yAqoBpknj+YrO9SFfdEzv76ggKyYuwau5eb3NK7yJEtK 9CBxFGmze6sdEqiFtW02j7sFgV5aRyr1pYXpbtwFgWntQ5JnSC9bWZuZIjymm261 7V4AQcslzR465bOwOTL5290sAAMBnU84sDGnf2eeIowhZcg9qhZTp2Y48CakiSIz GzT1lOUcp1KivuHERoNPTdiLSFFlUwdizw3+Zbwif7Y/b9harRgZrwlAp5/Q5AaJ fTrwjmITTETD7dp4ZURlN4rO7jZPbdDlIq9F9IOQ8c3Zho6CKgaIOdUB0s1oPsWn RvPgoCtYgwE= =eyg8 -----END PGP SIGNATURE-----