On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell, depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to: telnet, SSH, CGI (Common Gateway Interface), DHCP, and scripts hosted on web servers. The vulnerability looks pretty awful at first glance, but most systems with Bash installed will NOT be remotely exploitable as a result of this issue. In order to exploit this flaw, an attacker would need the ability to send a malicious environment variable to a program interacting with the network and this program would have to be implemented in Bash, or spawn a sub-command using Bash.
Ongoing Operations Engineering and Security teams have assigned support ID 103074 to this vulnerability, and has been working to evaluate the currently supported products and services for potential vulnerability.
What does this mean to you?
- Managed servers and Ongoing Operations infrastructure are in the process of being updated. Additionally, where available, security rules are being placed on perimeter devices to block attempts to exploit.
- Unmanaged servers and collocated equipment needs to be updated by clients. It is recommended this be done immediately.
Ongoing Operations recommends patching all affected systems, including but not limited to Mac OS X, Linux (i.e. Ubuntu, Debian, Fedora, etc.)
Ongoing Operations is committed to the security of your data and information assets. Should you have any questions and concerns, please reach out to discuss.