They have also raised concerns that the bug will be difficult to eradicate in legacy systems used in power plants and other critical national infrastructure.
According to researchers at security firm FireEye, cyber attackers have already moved to exploit the bug and may be conducting initial dry runs in preparation for larger-scale attacks.
“We have observed a significant amount of overtly malicious traffic leveraging Bash, including malware droppers, reverse shells and backdoors, data exfiltration, and distributed denial of service (DDoS),” they said in a blog post.
“Enterprises need to apply patches as soon as possible,” they added.
Some of the suspicious activity appears to be originating from Russia, although there has been activity from all over the world.
The researchers think it is only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise.
Attackers have deployed scanners looking for vulnerable machines that have been bombarding networks with traffic since the 25-year-old bug was made public on 24 September.
More on Bash
- Apple to release fix for Bash bug
- Bash bug could be bigger threat than Heartbleed
- Bash Cheat Sheets
- What's the best command-line shell: PowerShell vs. CMD vs. Bash
- Bash commands for navigation, sharing, and find
- Comparing the advantages of zshell over bash shell in Linux
- Five things you didn't know Bash could do on Linux
- Shell game: Managing Bash command history
- Bash Script to Shutdown all your VMs
The researchers said the bug is extremely dangerous because of the ease of exploitation, the simplicity of the vulnerability, and the extremely widespread install base of Bash.
“We expect to see significant use of this vulnerability by malicious actors, particularly in automated attacks,” the researchers said.
So far, the common gateway interface (CGI) between a web server and executables that produce dynamic content has received the bulk of the focus from attackers, they said.
However, the researchers have found the reach of the Shellshock bug extends beyond web servers.
Any application that relies on user-controlled data to set operating system-level environment variables and then invokes the shell from that same context can trigger the vulnerability.
This means web applications relying on a specific type of user input can be manipulated to make users vulnerable to attack.
They note the full extent and reach of the Shellshock bug is still unknown, but indications are that almost any type of internet-connected device that uses the Bash shell can be affected.
The researchers warn that while home users and traditional servers may be able to patch their way out of danger, this solution is not available for many embedded devices and Unix-based industrial control systems. This also applies to supervisory control and data acquisition (Scada) systems commonly used by critical national infrastructure.
The Information Commissioner’s Office (ICO) has urged organisations and individuals to make sure their IT systems are up-to-date.
“This flaw could be allowing criminals to access personal data held on computers or other devices. For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure,” an ICO spokesperson said.
The ICO said businesses need to be aware of this flaw and monitoring what they can do to address it. Ignoring the problem could leave them open to a serious data breach and, ultimately, enforcement action.
However, cyber security expert from Birmingham City University Mick Jackson has warned it will be years before the Shellshock bug is completely eradicated.
“Your PC might be safe, but what about the router you use for your broadband? As likely as not it will use Unix-based software and therefore may be at risk of attack,” he said.
“Even if we feel safe with the computers we own, what about those computers we use but don’t own? Every time we access a website we are effectively using someone else’s computer and we open ourselves up to their vulnerabilities,” he added.
Jackson also said that because millions of websites could be open to the exploitation of the Shellshock bug, the damage it could cause is as yet unknown.
“The only safe prediction is, given the number of computers which are at risk, it will be years before this vulnerability is completely eradicated,” he said.