Vulnerability in Bash – CVE-2014-6271 aka “ShellShock”

ei_logo_tm

Last week a vulnerability in a common system component called Bash was released.  This vulnerability, nicknamed ShellShock, enables a unauthorized actor to execute commands on any affected system.  Bash (short for the Bourne Again SHell) is a common application on Unix and Linux based systems, and provides a number of services to the operating system.

While most well known as a “shell” ( a text based environment for interacting with a system) the Bash program also provides services to other common applications, like web servers, SSH servers, and mail servers.  Since those types of services are often Internet facing, this vulnerability is especially serious.

Since receiving the initial information about ShellShock, the EI Security Operations team have been evaluating the risk to our customers and have begun a review of all systems, starting with Internet facing systems and moving to the internal networks.

At this time no action is necessary on the part of our customers.   Your EI account director will be reaching out directly to each customer this week to let you know when we have either cleared the risk or identified any vulnerable systems

We will be providing regular updates on this vulnerability, and are always available if any customer has a specific question or concern.

Additional details can be found at:
https://www.us-cert.gov/ncas/alerts/TA14-268A
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Leave a Reply