Shellshock and some information

Posted bybiff

I have had trouble emailing this information to some folks I work with, so I am posting here for reference and benefit for others.

I am sending this out far and wide since I work with many places…so please stop and read for a moment if you have not been alerted.

I am sure some of you are aware of this already, but if not I would take stock of this quickly and get a handle on what you need to do.There is a new bug being exploited in the wild going by the name of “shellshock” or “shellshocked”

Many *nix web servers running or external devices that rely on bash shell should be looked at (Linux, MacOS, etc). The obvious threat are web servers and other server utilities externally accessible, but you also need to think about your embedded devices that could be vulnerable.

Feel free to pass this along to whoever, but I suggest not waiting and being proactive in engaging your vendors to find out your risks.

Apple computers are addressable also, but likely lower risk (link below) unless being used for advanced things. I would pay more attention to your infrastructure, firewalls, VPN devices, and web servers, then work on the “inside” of your network .

All of you that work with me know I suggest the M&M security strategy of keeping a hard outer shell while you work on the “soft” middle 🙂

Links and info below…Feel free to contact me directly to discuss if you feel the need.

WSJ – overview
http://blogs.wsj.com/digits/2014/09/25/google-and-amazon-respond-to-shellshock-security-flaw/

National Vulnerability Database (NVD)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

ISC has moved to infocon:yellow with some background info

https://isc.sans.edu/

Below are some vendor links related to this that you should review if relevant to the technology you are using.

Apple
http://www.imore.com/about-bash-shellshock-vulnerability-and-what-it-means-os-x

EMC
https://support.emc.com/kb/192608

VMware
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=35816

Juniper
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648&actp=RSS

F5
https://f5.com/solutions/mitigation/mitigating-the-bash-shellshock-cve-2014-6271-and-cve-2014-7169-vulnerabilities

Watchguard
http://watchguardsecuritycenter.com/2014/09/25/bash-or-shellshock-vulnerability/

HP
http://h30499.www3.hp.com/t5/Fortify-Application-Security/3-Things-to-Know-About-the-Shellshock-Vulnerability/ba-p/6630504#.VCXYV1OVthE

Barracuda
https://blog.barracuda.com/2014/09/25/shellshock-vulnerability-update/

Checkpoint
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts

Rackspace
https://status.rackspace.com/

Webserver checking tool
https://shellshocker.net/