5 Security Vendors Detecting The Most Shellshock Attacks

Shellshock Protection Available Now

Shellshock, the GNU Bash (Bourne Again Linux) command-line interpreter vulnerability surfaced last week. It impacts nearly every distribution of Linux, Unix and Mac OS X. Early patches were ineffective and at least three other flaws have been detected. A wide variety of systems and networking gear are impacted by the critical vulnerability. Less than 24 hours after the dangerous Bash flaw was announced, exploit code was made public and attackers began to probe networks for vulnerable systems. Most security vendors have issued signatures to detect attempts to exploit the flaws. Some solution providers tell CRN the signatures are resulting in many false positives, causing clients to put systems in detection rather than blocking mode."Sourcefire and Snort-based devices are taking on the majority of the heavy lifting," wrote Chad Kahl, a Sollutionary threat analyst in his analysis of the threat. These five network security appliances appear to be identifying many of the attacks, according to Solutionary's analysis.

Cisco Sourcefire

Sourcefire, which bases its intrusion prevention system technology on Snort IPS signatures is identifying the bulk of attempts to exploit the Bash vulnerabilities, according to Solutionary. Sourcefire, which Cisco paid $2.7 billion for in 2013, still has Snort creator Martin Roesch at the helm. Sourcefire identified tens of thousands of attacks coming from hundreds of unique IP addresses. Cisco is integrating the Sourcefire technology into its line of network security gear and recently announced integration with its ASA firewall appliances. Cisco IPS signatures are also available, the company said in its Shellshock advisory. Cisco is also issuing patches to fix its vulnerable networking devices.

Palo Alto Networks

Palo Alto Networks issued signatures to detect exploitation attempts against the Bash vulnerabilities, according to its advisory. The company also provided steps to enable administrators to create Vulnerability Protection profiles and block attempts to exploit the flaws. Palo Alto Networks is also issuing patches to address its vulnerable networking appliances. Palo Alto Networks said the attacks it identified come from both known IP addresses where threat activity has come from in the past and unique IP addresses.

Check Point Software Technologies

Check Point issued IPS signatures to detect and block Shellshock exploitation, according its customer advisory. The signatures are automatically deployed for users of Check Point Anti-Bot and Antivirus Blades, the company said. Check Point also issued an advisory warning that some of its products were impacted by the vulnerability.


Symantec issued IPS signatures to detect attempts to exploit Shellshock vulnerabilities. In an advisory, which includes an explanation of the critical flaw and a video about the issue, the company urged customers to apply patches as they become available. The company said failed attempts to exploit the flaw will result in a system crash. Symantec said some of the activity that it detected appear to come from automated attack tools, such as probes seeking out vulnerable systems.

Juniper Networks

Juniper Networks was the fifth vendor that was detecting attacks attempting to exploit the Linux Bash flaws, according to Solutionary. The Juniper advisory included a link to intrusion detection and prevention signatures for users. Some of Juniper's networking gear is susceptible to the vulnerability and the vendor is issuing security updates to fix the bugs.