Due to the new Shellshock vulnerability, CliftonLarsonAllen recommends that the process of identifying and patching potentially vulnerable devices begins as soon as possible.
When the Heartbleed vulnerability was publicly released, the aftermath of the disclosure, awareness, and a rapid response largely mitigated the potential damage.
On September 25, a new vulnerability has been publicly disclosed — the Shellshock vulnerability in the Bash shell. This is a command line interface that is used in large number of Unix-like systems. The list of affected operating systems includes Linux, Google Android, Apple OS X, and in some instances Microsoft Windows. This vulnerability can give an attacker remote command line access to a system via a large number of services including web sites, SSH, FTP, telnet, and many others.
Even if your organization does not have any Linux or OS X servers, there are likely embedded devices that are vulnerable. Most phones, routers, switches, and other network devices will be running an embedded version of Linux that contains a vulnerable version of the Bash shell.
Here is what you can do
Do not ignore this security breach. CliftonLarsonAllen recommends that the process of identifying and patching potentially vulnerable devices begins as soon as possible.
- Identify devices vulnerable to Shellshock. Several vulnerability scanners, including Tenable Nessus, Rapid7 Nexpose, Qualys, and Greenbone OpenVAS have been confirmed to positively identify this exposure.
- Contact your respective vendors to obtain a patch for each host and service identified as vulnerable to Shellshock. Many vendors have already provided a patch for their devices and software.
- Validate patching status for each device to verify that the applied patch was effective in remediating the Shellshock vulnerability.
- Monitor vulnerable devices for unusual activity.
Shellshock in the news
Despite this vulnerability being one day old, large-scale attacks have already been reported by organizations including Akamai and the U.S. Department of Defense. While no large-scale breaches or incursions have been reported yet, it is anticipated that a large number of organizations will fall victim to this attack.
How we can help
CLA can perform scanning and penetration testing of your businesses systems to help you understand if your organization is vulnerable to Shellshock or other issues.
More information about the Shellshock vulnerability is quickly becoming available.