Worm exploiting Bash/Shellshock vulnerability
Date: 15 December 2014
The purpose of this Alert is to bring attention to recent reports of a worm exploiting the Bash/Shellshock vulnerability.
CCIRC is aware of open source reports indicating that the Shellshock vulnerability is being actively exploited to install a self-replicating backdoor also known as a worm. It appears that this worm is currently targeting network attached systems (NAS) made by QNAP. There are no specific reports of this being exploited in Canada at this time.
The attack targets a QNAP CGI script, "/cgi-bin/authLogin.cgi", and upon execution, has the capability to run commands, install additional malware including a secure shell (SSH) server with a new admin user account which grants root privileges to the attacker and scans for other vulnerable devices.
CVE Reference: CVE-2014-6271
CCIRC recommends that organizations running QNAP Turbo NAS model versions prior to QTS 4.1.1 Build 1003 strongly consider updating to the latest version immediately, as any prior versions are vulnerable to attacks using the Bash/Shellshock vulnerability.
- QNAP Releases New QTS for Turbo NAS with Official GNU Bash Patch Update
- CCIRC’s AL14-032 Critical vulnerability in Bash
- CCIRC’s AV14-079 Summary of Critical Vulnerability Patches in Bash
- CVE-2014-6271 - CVSS Score: 10 High
- Worm exploits nasty Shellshock bug to commandeer network storage systems
- Worm Backdoors and Secures QNAP Network Storage Devices
- The Shellshock Aftershock for NAS Administrators
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: