Friday 26 September 2014
This Post details the implications and status of the Shellshock (aka BASH Vulnerability) Bug that has just been discovered/reported:
What is this about?
This is a serious security issue that has a widespread global coverage.
Starting from today we are seeing the mainstream-media also pick up on this issue and report on it (e.g. USA based abcNEWS).
The bug, which is being referred to as “shellshock”, can allow, in some circumstances, attackers to remotely access and control systems using Bash (and programs that call Bash) as an attack vector. Bash is a command shell, an integral aspect of the overall Operating System. The bug potentially affects GNU/Linux, Solaris, Apple’s OS X and Microsoft Windows (if e.g. cygwin installed).
Additional technical details about the issue can be found at CVE-2014-7169.
When was a “fix” released?
From today, upstream developers have patched and released a software update that fixes the bug, and in the hours that followed this was incorporated into various software vendor/open-source patch/update packages, for application onto affected servers by system administrators.
For client owned/managed computing devices, updates are/will be similarly available for Apple, etc – and any other device like home Internet Routers requiring the update.
What has Mach done?
Following publication of the security alert by the authorities, Mach immediately completed a full audit of all systems that utilise Bash technology (via a special automated test performed by our 24/7 Enterprise Monitoring Platform), and this immediately identified those that required the patched version of Bash.
Mach then applied the update/fix to all such identified systems, in a risk-prioritised order, within 24hrs.
No Firewall or Router infrastructure was affected.
No known issues have arisen as a result of this Bug in any Mach-managed infrastructure.