Monday, 13 June 2016

OS Attack: GNU Bash CVE-2014-6271 attack blocked (Symantec AV)

Or, [SID: 27907] OS Attack: GNU Bash CVE-2014-6271 attack blocked. Traffic has been blocked for this application: SYSTEM
Or, Windows Event Log - Symantec Endpoint Protection "[SID: 27907] OS Attack: GNU Bash CVE-2014-6271 attack blocked. Traffic has been blocked for this application: SYSTEM".

Description:
This error event log occurs when you have Network Threat Protection component installed. When AV agent detects any unwanted or suspicious traffic from any IP/URL, it blocks whole traffic for approximately 10 minutes on the machine, coming from any IP/URL.


To avoid this type of issues/errors, you may think of following:
1. Delete any unwanted IPs assigned to the affected machine. Sometime people assigns multiple IP to one computer which may lead to this kind of issues.
2. Update windows patches completely, no security or critical updates should be left un-patched.
3. If this issue is occurring on server which is already protected by multiple layer of security like,           Firewall, Proxy filtering, etc.… you can think of removing the Network Threat Protection                  component. But, please understand the risk properly before doing it.

Few reference KBs must to check..
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27907
https://www.symantec.com/security_response/vulnerability.jsp?bid=70103
http://www.symantec.com/connect/forums/recurring-message-cve-2014-6271

Please write me back if you have any query or feedback.. Cheers!!!

No comments:

Post a comment