On September 24th 2014 a security vulnerability was publicly announced that appears to affect a large percentage of internet connected devices. This vulnerability, known as Shellshock, is critical and could allow an attacker to perform remote code execution on hosts running a vulnerable version of Bash, a popular Unix/Linux shell. SandSIV is taking this issue seriously by taking the steps detailed below. We have also detailed steps you can take yourself, at the bottom of this article.
What we have done:
On the day the information about this vulnerability was made available, our security team updated all production servers.
Our security architecture includes multilevel security filters, and the risk of such vulnerabilities is covered. Additionally, front-end systems don not have direct access to customer data. Even in a worst case scenario, our client’s data will stay secure.
Since this vulnerability takes advantage of CGI scripts or application Bash calls, our security team extensively reviewed these to determine weaknesses. We have not seen any evidence of vulnerable within the services that make up our production environment.
What we will continue to do:
Monitor vendor security lists, forums, and threat feeds for updates and quickly install any new vendor-recommended security patches. There is a risk that this vulnerability could spawn additional attack vectors so it is vital that we stay vigilant.
Review our logs and IDS alerts for signals of attack attempts, and block attempts in the future.
Update this forum post as necessary.
What you should do:
Become familiar with the issue. The blog post mentioned in the resources list provides an excellent breakdown of the vulnerability.
Scan your own infrastructure for this vulnerability. At this point, your vulnerability scanning vendor should have updated their signatures to detect this vulnerability. If you do not have a scanning vendor, you can detect the current vulnerability by executing the guidance suggested by The Register (see link below) in your default shell. If you see the word “busted” you are at risk.
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
If you run OSX, consider disabling all sharing services on devices until Apple releases a patch.
Reach out to your external third-parties to ensure that they are aware of this critical issue, and are executing a mitigation strategy.
Be cognizant of opportunistic phishers who email you to patch your devices. Don’t click on that link!
Ressources:
Link to vulnerability register: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
Bash: http://en.wikipedia.org/wiki/Bash_%28Unix_shell%29
Blog post: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
The register: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
Comments
0 comments
Article is closed for comments.