Red Hat (NYSE: RHT) says a malware attack exploiting vulnerabilities it disclosed last week and now known as “bash bug” and “shellshock” is underway.

The company said Monday morning that is telling firms to make sure their systems are “fully patched” to defeat the attack.

Meanwhile, Red Hat also has updated its patches which it knows says were “incomplete.”

Reports of the vulernability surfaced last week, and the “bash bug” or “shellshock” has been called a significant threat to “the Internet of Things ‘ – devices from computers to cell phones and household appliances that utilize the Internet.

“Malware is circulating that exploits the shellshock security vulnerability,” Red Hat declared in the security warning.

“A variety of malware is in circulation that exploits systems that are not fully patched for the shellshock security vulnerability. Some of this malware is connecting vulnerable systems to a distributed denial-of-service (DDoS) botnet. Please ensure that your systems are all fully patched to ensure you are not susceptible to this malware.”

Earlier, Red Hat said its own patches targeting devices running the Linux operating system, were not a complete remedy.

“Red Hat has become aware that the patch for CVE-2014-6271 [Bash Code Injection Vulnerability via Specially Crafted Environment Variables] is incomplete,” Red Hat warned.

” An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions.”

The “vulnerability” does affect “all versions of the bash package as shipped with Red Hat products,” Red Hat said.

Affected products include: The Red Hat Enterprise Linux 5, 6, and 7, Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support, and Shift_JIS for Red Hat Enterprise Linux 5 and 6.

Red Hat is offering a “Shellshock Vulnerability Detector.”

Adding the patches is not enough, Red Hat added.

“Even if your systems are no longer vulnerable, they may have been previously compromised,” the company said.

“To determine whether your systems are infected with shellshock malware, it is recommended that you perform a scan using a third-party anti-virus tool of your choosing. There are multiple articles analyzing particular malware variants that exploit the shellshock vulnerability.

“If your systems are already compromised by shellshock-based malware, you need to take immediate action. You can’t be certain exactly what that attacker has changed or installed on your system. You should back up your data, image storage devices, and reinstall from scratch to ensure no trace of the attacker is left on your system.”

What is the Bash Bug?

The bug, also known as “Shellshock,” is in a commonly used piece of system software called Bash. Bash has been around since 1989 and is used on a variety of Unix-based systems, including Linux and Mac OS X, the Associated Press has reported.

Devices that use Unix in some form include many servers, routers, Android phones, Mac computers, medical devices and even the computers that create bitcoins. Systems running power plants and municipal water systems could also be affected by the bug, though security experts already recommend that these systems remain disconnected from the Internet so they are not open to such risks.

Bash is a command shell — “the thing you use to tell your computer what you want it to do,” explains Christopher Budd, global threat communications manager at security firm Trend Micro. Thus, exploiting a security hole in Bash means telling your computer, or other systems, what to do.

 

Read the latest Red Hat updates online.