WEBSITE OWNERS: Make sure to check with your website hosting and maintenance companies about this new widespread virus. We have secured our servers - but if you are not hosting with us, you should contact your web companies about it and make sure you are protected. On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the Bash Bug, was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bashs ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock; all unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk. The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following: Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells Certain DHCP clients OpenSSH servers that use the ForceCommand capability Various network-exposed services that use Bash A detailed description of the bug can be found at CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187. Because the Shellshock vulnerability is very widespread--even more so than the OpenSSL Heartbleed bug--and particularly easy to exploit, it is highly recommended that affected systems are properly updated to fix or mitigate the vulnerability as soon as possible.
Posted on: Mon, 29 Sep 2014 16:27:47 +0000
Trending Topics
Recently Viewed Topics
© 2015