Endpoint Protection

I keep getting this recurring message from Symantec Endpoint Protection: "[SID: 27907] OS Attack: GNU Bash CVE-2014-6271 detected". I have full scanned my computer multiple times, and it found there was nothing wrong. I reinstalled the latest version of symantec, and scanned again, also found nothing wrong. I checked the processes running in task manager and there seemed to only be programs I installed running or windows processes - nothing overtly suspicious.

I am getting these messages upwards of a dozen to two dozen times a day, and I am worried my machine might be vulnerable, but the only information I can find online on this warning dialog is information on how dangerous the bash bug is... nothing on how to solve the problem.

This is the Shellshock vulnerability. It is Inbound traffic? If so, someone is on the outside is trying to exploit this vulnerability. The IPS is doing it's job by blocking the attempt(s).

You can create a firewall rule to block the offending IP address.

Other than that, SEP is doing its job.

This is “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271)

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27907

Blog ShellShock: All you need to know about the Bash Bug vulnerability

https://www-secure.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability

solution here

http://www.securityfocus.com/bid/70103/solution

Hi dugfresh2,

I agree with the advice above.  Check your SEPM's report on IPS Attack Logs and you will see what remote host IP's are attempting to exploit this vulnerability.

Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network
 

Also: please do ensure that you have upgraded software on that computer so that is is not vulnerable to Shellshock!

With thanks and best regards,

Mick