Red Hat Satellite: Unauthorized requests trying to perform remote code execution

Solution Verified - Updated -

Issue

While checking satellite logs, it was noticed that many messages showing errors for denied HTTPS requests in /var/log/httpd/foreman-ssl_access_ssl.log log file as below:

192.168.0.11 - - [24/Jan/2021:15:43:56 +0400] "GET /cgi-bin/agorn.cgi HTTP/1.1" 404 1564 "-" "() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6278 Output : $((60+94))\"; }"
192.168.0.12 - - [24/Jan/2021:15:44:17 +0400] "GET /cgi-bin/agorn.cgi HTTP/1.1" 404 1564 "-" "() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6278 Output : $((66+43))\"; }"
192.168.0.13 - - [24/Jan/2021:15:47:18 +0400] "GET /cgi-bin/agorn.cgi HTTP/1.1" 404 1564 "-" "() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6278 Output : $((71+12))\"; }"
192.168.0.14 - - [24/Jan/2021:15:48:02 +0400] "GET /cgi-bin/agorn.cgi HTTP/1.1" 404 1564 "-" "() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo \"bash_cve_2014_6278 Output : $((73+39))\"; }"

The log file shows similar entries for denied HTTPS requests from the same IP addresses trying to fetch or perform remote execution for the following files:

cgi-bin/faqmanager.cgi?toc=/etc/passwd%00
cgi-bin/whois.cgi
cgi-bin/test-cgi
cgi-bin/upload.cgi
cgi-bin/wa.cgi
cgi-bin/wa
mod/index.cgi
sys/defaultwebpage.cgi
cgi-bin/viewcvs.cgi
cgi-bin/test.cgi
sys/entropysearch.cgi
cgi-bin/wa.exe
cgi-bin/test.sh
cgi-bin/urlcount.cgi
cgi-bin/status.cgi
cgi-bin-sdb/printenv
cgi-bin/bugreport.cgi
cgi-bin/mt/mt-check.cgi
cgi-bin/login.cgi
cgi-bin/Count.cgi
cgi-bin/index.pl
cgi-bin/search
cgi-bin/search.cgi
cgi-bin/count.cgi
cgi-bin/ncbook/book.cgi
cgi-bin/clwarn.cgi
cgi-bin/guestbook.cgi
cgi-bin/help.cgi
cgi-bin/search/search.cgi
cgi-bin/quickstore.cgi
cgi-bin/hi
cgi-bin/mt/mt-load.cgi
cgi-bin/FormMail.cgi
cgi-bin/printenv
cgi-bin/faqmanager.cgi
cgi-bin/printenv.cgi
cgi-bin/cart.cgi
cgi-bin/agorn.cgi
cgi-bin/mt-static/mt-load.cgi
cgi-bin/index.cgi
cgi-bin/status
cgi-bin/FormHandler.cgi
cgi-bin/index.sh
cgi-bin/mailit.pl
cgi-bin/mt-static/mt-check.cgi
cgi-bin/administrator
cgi-bin/admin.cgi
cgi-bin/admin
cgi-bin/admin.pl
cgi-bin/administrator.cgi
cgi-bin/search.cgi
cgi-bin/mt/mt-check.cgi
cgi-bin/ncbook/book.cgi
sys/entropysearch.cgi
cgi-bin/viewcvs.cgi
cgi-bin/test.cgi
sys/defaultwebpage.cgi
cgi-bin/wa
cgi-bin/mt-static/mt-check.cgi
cgi-bin/upload.cgi
cgi-bin/search/search.cgi
cgi-bin/status
mod/index.cgi
cgi-bin-sdb/printenv
cgi-bin/status.cgi
cgi-bin/printenv.cgi
cgi-bin/whois.cgi
cgi-bin/urlcount.cgi
cgi-bin/wa.cgi
cgi-bin/test.sh
cgi-bin/mt-static/mt-load.cgi
cgi-bin/test-cgi
cgi-bin/mt/mt-load.cgi
cgi-bin/hi
cgi-bin/FormHandler.cgi
cgi-bin/agorn.cgi
cgi-bin/admin.pl
cgi-bin/admin.cgi
cgi-bin/login
cgi-bin/index.pl
cgi-bin/faqmanager.cgi
cgi-bin/Count.cgi
cgi-bin/administrator.cgi
cgi-bin/index.sh
cgi-bin/FormMail.cgi
cgi-bin/login.cgi
cgi-bin/cart.cgi
cgi-bin/mailit.pl
cgi-bin/admin
cgi-bin/help.cgi
cgi-bin/index.cgi
cgi-bin/file_transfer.cgi
cgi-bin/mainfunction.cgi
cgi-bin/kvm.cgi?&file=login

Environment

  • Red Hat satellite 6.x
  • Multiple satellite capsules

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content