Worm exploiting Bash/Shellshock vulnerability

Number: AL14-040
Date: 15 December 2014

Purpose

The purpose of this Alert is to bring attention to recent reports of a worm exploiting the Bash/Shellshock vulnerability.

Assessment

CCIRC is aware of open source reports indicating that the Shellshock vulnerability is being actively exploited to install a self-replicating backdoor also known as a worm. It appears that this worm is currently targeting network attached systems (NAS) made by QNAP. There are no specific reports of this being exploited in Canada at this time.

The attack targets a QNAP CGI script, "/cgi-bin/authLogin.cgi", and upon execution, has the capability to run commands, install additional malware including a secure shell (SSH) server with a new admin user account which grants root privileges to the attacker and scans for other vulnerable devices.

CVE Reference: CVE-2014-6271

Suggested Action

CCIRC recommends that organizations running QNAP Turbo NAS model versions prior to QTS 4.1.1 Build 1003 strongly consider updating to the latest version immediately, as any prior versions are vulnerable to attacks using the Bash/Shellshock vulnerability.

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: