Shellshock, a Bash Code Injection Vulnerability
Shellshock, a Bash Code Injection Vulnerability
In late September, 2014, a bug was released to the public in the popular Linux/Mac shell called bash. For those that aren't familiar, the shell is the black box that some computer folks seem to spend a lot of time in typing archane commands to magically fix the computer.
Short Story
At the Institute for Advanced Study, we were alerted to the issue at the same time as the rest of the Internet community. We did an initial scan to determine our vulnerability from Internet attacks and did not find any conclusive evidence that we were at risk. We did raise this as a high priority issue and began patching our servers as soon as major service providers had patches available.
Not only were Internet facing servers vulnerable, but we found out that Mac OSX clients were also at risk. Apple has released some patches for this, but the risk of compromising a user system for this particular bug is low. That being said, we still recommend folks stay up to date on all security patches.
Long Story
Soon after the initial patch was deployed, we received reports of a second vulnerability that bypassed the first patch. We deployed this patch as well. Here are some links describing the technical details of this issue.
Descriptions of the original CVE bug reports.
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
RedHat information on mitigation techniques.
Robert Graham's scan of the Internet for the vulnerability
Reports of compromise
We have received reports of other Educational Institutions being affected by this bug, and of a botnet forming that takes advantage of the bug as well. We continue to monitor these developments and other reports of exploitation to ensure we remain safe to this issue. We have seen some scans from the Internet attempting to see if we are viable targets for this vulnerability, which we are currently not. As of the time of this post, we have no evidence that the IAS has been negatively affected.