Akamai Diversity

The Akamai Blog

Akamai Launches New Protection for Shellshock-Bash

Akamai has created custom rules to help protect customers from the Shellshock-Bash vulnerabilities. The official names of these vulnerabilities and the WAF rules to address them are as follows:

Vulnerability                                    Customers on Kona Rule Set*: WAF Rule To Address

CVE-2014-6271                                3000025, 3000026, KRS Command Injection Risk Group
CVE-2014-7169                                3000025, 3000026, KRS Command Injection Risk Group
CVE-2014-6277                                3000025, 3000026, KRS Command Injection Risk Group
CVE-2014-6278                                3000025, 3000026, KRS Command Injection Risk Group

The custom rules are applicable to all four of those exploits as they filter on a common attack string.

"Rule Update Service" customers and Premium Service customers: please contact your service team to implement the rules if you have not already done so.

Customers who wish to activate the rules themselves should do so referencing the screen shot below appropriate to their Rule Set version.

For customers using Kona Rule Set 1.0:

For customers using Core Rule Set 1.6.1, any rule categorized under "System Command Injection", should be activated.

shellshock-protection-core-rule.pngSelf-Service customers should follow best practices regarding investigating false positives while a rule is in "Alert" mode before making the decision to switch to 'Deny' mode.

The use of these custom rules is subject to the terms and conditions of the agreements you have with Akamai. As always, customers should maintain appropriate security controls on their origin server(s), as no security measures can guarantee detection of all attacks and/or threats.

Please note that these rules do not protect against CVE-2014-7186 or CVE-2014-7187. However, these two vulnerabilities can't be exploited through *normal* environment variables--to exploit them in a web app context, there has to *already* be a remote code execution (shell injection) vulnerability exploitable (or an array reference into an environment variable, which would be very strange).

If either of these criteria were met, only then could an adversary cause this code to be executed, which would in turn crash the bash process. In short, these vulnerabilities are much less severe.

Additional information on the patches involved can be found at https://bit.ly/ShellShockPatch.