As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens.
Initial attacks geared towards creating DDoS botnets managed via IRC have been followed by reconnaissance attempts in Brazil and China, where the IPs of various institutions (including financial) have been probed and, after found vulnerable to the bug, the attackers “asked” the target servers for information such as OS type and version, machine type, processor type, etc.
It is believed that the attackers are collecting information that will come in handy for pulling off future attacks.
Cisco Systems has issued an advisory that flags many of its networking products as vulnerable and points users towards software updates that fix the bug. They have also provided IPS and Snort signatures that can detect and block at the network level attacks aimed at exploiting the vulnerability.
Oracle has issued a security alert detailing which of its products are vulnerable and which not, and has provided patches for a small number of them.
“Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability,” they noted, and added that users should regularly check for updates.
It’s also possible that companies are delaying the fixes until the all of the issues surrounding the bug can be addressed. Red Hat security engineer Huzaifa Sidhpurwala offered some insight in how their initial patch was found wanting when other issues surfaced shortly after, and how they went about issuing a second patch.
Chet Ramey, the current GNU Bash maintainer, has announced during the weekend that a new patch fixing both CVE-2014-7169 and CVE-2014-7169 has been made available. The patch in question was developed by Red Hat product security researcher Florian Weimer, and it also fixes two additional issues (CVE-2014-6277 and CVE-2014-6278) that could lead to remote exploitation.
Finally, here is a good write-up by SANS ISC CTO Johannes Ullrich, who urges admins to dig deeper and patch systems they may have missed in their initial sweep.