Shellshock vulnerabilities exploited in the wild
Shellshock vulnerabilities exploited in the wild

Within a week of the Shellshock (aka Bash - CVE-2014-6271) vulnerability being discovered by researcher Stephane Chazelas, the first exploits have now been spotted in the wild.

As previously reported, Shellshock is a vulnerability that allows an attacker to perform remote code execution attacks on any server using the Bash shell.

Unfortunately, the use of this shell is widespread, as it is used in many server products, including those powering web sites. According to Carl Leonard, the regional head of Websense's EMEA research, malware found to be exploiting the Shellshock vulnerability has been dropped by various command-and-control servers previously known to Websense Security Labs.

"The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as `curl' or `wget' and then executing the malicious payload. To date, we have seen four variants of the Linux backdoor and several versions of the Perl-based IRC bot," he says in his analysis of the problem.

Multiple vulnerabilities

Perhaps worse, Leonard and his team report that, since the initial disclosure of CVE-2014-6271, Websense has seen another five vulnerabilities identified in Bash. These have been assigned the identifiers of CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187.

Experience, he says, has taught us that as cyber-criminals zoom in on the vulnerable code branch, additional vulnerabilities are likely to surface.  

"We strongly recommend that you monitor such issues and apply mitigation accordingly," he advises.

Fellow security vendor FireEye, meanwhile, says that it has discovered a real example of cybercriminals attempting to exploit the Bash remote code injection vulnerability against Network Attached Storage systems (NAS).

Apple patches incomplete

Just to make life interesting, although Apple has released a patch for Shellshock, Greg Wiseman, an engineering manager with Rapid7, claims that the patch only solves two of the three problems.

Wiseman is quoted by the CNET newswire as saying he ran a script to test for Bash/Shellshock vulnerabilities and found that even after installing Apple's patch on OS X Mountain Lion, the operating system was still susceptible to another vulnerability - CVE-2014-7186.

So how bad is the evolving situation?

Leeds-based security specialist RandomStorm says that it has warned customers to scan their Linux, Mac OS and Unix OS servers - and connected devices - for the problem.

Andrew Mason, Randomstorm's technical director, said that he and his team are advising all of their customers to run a scan for CVE-2014-6271 to check whether their Unix, and Linux servers and networked devices - such as cameras and alarms contain the Bash vulnerability.

As soon as a patch is released, we will update our xStorm service and we have emailed our customers to provide further guidance on updating their appliances," he said, adding that detailed information about this vulnerability can be found on Red Hat Bugzilla.