http://arstechnica.com/security/2014/09/shellshock-fixes-beget-another-round-of-patches-as-attacks-mount/
By Sean Gallagher
Ars Technica
Sept 30 2014
Over the past few days, Apple, Red Hat, and others have pushed out patches
to vulnerabilities in the GNU Bourne Again Shell (bash). The
vulnerabilities previously allowed attackers to execute commands remotely
on systems that use the command parser under some conditions—including Web
servers that use certain configurations of Apache. However, some of the
patches made changes that broke from the functionality of the GNU bash
code, so now debate continues about how to “un-fork” the patches and
better secure bash.
At the same time, the urgency of applying those patches has mounted as
more attacks that exploit the weaknesses in bash’s security (dubbed
“Shellshock”) have appeared. In addition to the threat first spotted the
day after the vulnerability was made public, a number of new attacks have
emerged. While some appear to simply be vulnerability scans, there are
also new exploit attempts that carry malware or attempt to give the
attacker direct remote control of the targeted system.
Stormy weather
On Monday, the SANS Technology Institute’s Internet Storm Center (ISC)
elevated its INFOcon threat level—a measure of the danger level of current
Internet “worms” and other threats based on Internet traffic—to Yellow.
This level indicates an attack that poses a minor threat to the Internet’s
infrastructure as a whole with potential significant impact on some
systems. Johannes Ullrich, Dean of Research at SANS, noted that six
exploits based on Shellshock have been recorded by the ISC’s servers and
“honeypot” systems. (A honeypot is a virtual or physical computer system
set up to entice attackers and record their actions.)
Three of the types of attacks recorded by the ISC were simply scans for
the vulnerability. One ran checks using multiple Hypertext Transfer
Protocol (HTTP) headers to test if the system would send back Internet
Protocol “ping” messages using a bash exploit; another attempted to send
back system parameters (the Unix name of the system, its operating system
and version, and other details about the hardware). These may have been
launched by “white hat” security firms conducting surveys of vulnerable
systems.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
