A new vulnerability in a utility called “Bash”, a commonly-installed command execution shell, was discovered yesterday. This vulnerability has been termed “SHELLSHOCK” by the media. Pythian’s systems were patched overnight and are no longer vulnerable.
This vulnerability only affects Linux systems, so if you are not running Linux on your data center servers this vulnerability does not apply to you.
What is Bash?
Bash is a “shell”—a basic component that enables interaction between a human and an operating system, in this case Linux. It is responsible for running all common commands such as directory listings, moving, or copying files, etc.
What is the vulnerability in Bash?
The vulnerability allows someone to run any arbitrary code on an affected machine. If this was only due to human interaction, we can assume the user will be logged in and already have permissions to run that code, so what is the big deal? The issue arises because Bash is commonly called by lots of other code as part of their execution that may not necessarily be a human logged in. For instance, certain web servers call bash, so anybody who has access to your web pages could “inject” and run unauthorized code on your servers to take them over, serve malicious code, or even steal confidential data. More information is available here: CVE-2014-6271.
What should you do?
Patches are available from all major Linux vendors such as Redhat, Debian and Oracle for their versions of Linux. Most Web Application Firewalls (WAFs) have been updated to guard against this exploit.
Notice to clients who use Amazon/AWS
Amazon is going to be proactively rebooting ALL AWS instances between September 26, 2014, at 2:00 UTC/GMT (September 25, 2014, at 7:00 PM PDT) and September 30, 2014, at 23:59 UTC/GMT (September 30, 2014, at 4:59 PM PDT). They have not stated what ‘bug’ they are fixing at this point and do not intend to do so until all of the reboots have been completed. This is a very large scale effort, and one Amazon has decided is necessary due to the severity of the bug.
Reports indicate all instances will be affected with the the exception of T1, T2, M2, R3, and HS1 instance types are not affected.
For more information see below, and also notices should be visible within your AWS Console
• If you are a Pythian client, please contact your team lead immediately to co-ordinate patching your systems.
• If you are not a Pythian client: Pythian offers a rapid response team that can rectify these sorts of situations and can help harden your systems to prevent exploits. To engage Pythian, please email email@example.com.
Paul Vallee, CEO – Pythian