Resource Articles Back to Article List

Shellshock Vulnerability: Businesses Should Continue to Monitor

You may have heard recently about a new computer vulnerability called Shellshock that affects the command line program Bourne-Again Shell (i.e. Bash) that is present on many Linux, Unix, and Mac systems.

Bash is a software program that Linux and Unix (and Mac) systems use to execute programs and commands from a text-based command line interface, similar to the command prompt on Windows-based computers. IT personnel use Bash to perform a number of actions, such as running commands or processing information, on these systems. Bash is very popular on Linux and Unix systems and has been in use for approximately 25 years.

The Shellshock vulnerability exploits a method that Bash uses to store and process data, referred to as environment variables. By exploiting the vulnerability within the environment variables, an attacker can execute code that could potentially grant them unauthorized access to the affected system. The vulnerability was identified by security researchers in early September 2014 and disclosed to the public on September 24, 2014.

The major concern with Shellshock is the relative ease in which an attacker can exploit the vulnerability, and therefore gain access to information stored on or processed by the vulnerable system. This is further compounded by the widespread use of Bash. Indeed, many web-servers in use today use some form of Bash. It is also used in other situations, such as industrial systems, internal servers, and Linux-based workstations.

Various patches have been released to update the Bash interface, however related vulnerabilities continue to be discovered. Businesses should determine if there are any installations of Bash on their network, and whether or not those installations are vulnerable. In addition, businesses should evaluate any web-servers and other Linux- and Unix-based servers for the vulnerability. Also, consider if your vendors have any vulnerable installations, and if they have been remediated.

For financial institutions, the Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement advising institutions about the vulnerability and related risks.

Businesses should continue to monitor the status of these vulnerabilities and related remediations, and apply patches using appropriate change and patch management procedures.