First there was Heartbleed. Now there is Shellshock. Computing operations as common as keypads and used practically everywhere have been unwittingly sheltering security flaws that are hiding in plain sight.
Shellshock is a security vulnerability affecting the GNU Bourne Again Shell (Bash), the most popular command line for most Unix and Linux distributions including Macs, embedded systems, servers, network routers and switches. (Windows systems are not vulnerable.) Bash is commonly used for entering commands executed indirectly by other applications, for example via a web server.
If a server accept Bash commands directly or indirectly, attackers may be able to exploit weaknesses to steal sensitive data such as passwords or customer lists, deface websites, turn off web servers or specific functions, or modify or destroy data. Attackers can also potentially implant malware on vulnerable machines or “pivot” to attack additional machines on the network.
SilverSky, Peak 10’s security technology partner, has been all over this since it was first uncovered last week. SilverSky assessed its own production infrastructure for this vulnerability and all systems that could have been vulnerable and exploitable have been updated. This includes the security platforms that SilverSky manages on our behalf. Our partner has instituted measures that maximize its ability to detect attempts at exploiting this vulnerability inside its customers’ environments, and it continues to monitor for additional updates.
Peak 10 has hardened all of its internal and public-facing systems to the vulnerability. In addition, we are continuing to work with our Managed Services customers to install the applicable updates on customer devices.
If you use Bash as your shell, you should apply the vendor-recommended patches as soon as possible. All major distributions have made a patch available in their base repositories, which you can apply. SilverSky advises that patching your systems is the most effective action you can take to mitigate this vulnerability. Note that this vulnerability can also impacts saved images, an important consideration when using these images in the future.
Here are some additional sources of information about Shellshock that you may find helpful.
We bring all this to your attention to assuage concerns you may have and to recommend that you take appropriate action within your own organizations. Do not hesitate to contact Peak 10 with questions.