Shellshock – CVE-2014-6271

[feather_share]

Over the past 24Hrs there has been a new vulnerability identified which you may have heard of under the name ‘Shellshock’ which relates to CVE-2014-6271. Shellshock is a Bash Shell exploit that allows data to be passed into the backend shell to be executed from a frontend program or script such as PHP, Java, Pearl or C/C++. This also allows interaction via third party programs such as OpenSSH, DHCP and web servers like Apache. For additional information of this vulnerability you can view this on the US Vulnerability Database (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271).

The Bash shell environment affected is version 1.14.0 through to 4.3 which covers most Linux environments and Linux based devices such as Apple iOS and OS. Android devices are not affected as they do not use a Bash Shell unless installed by the user. The impact of this vulnerability is wider than just Linux servers/PCs and Apple, as it is also used as a standard background environment on the majority of vendor specific appliances.

The team at Astro have been working through the night checking and patching any of our systems that were affected and we can confirm that we are not vulnerable. We are compiling a list of vendors that are currently either investigating or have confirmed that they are indeed vulnerable. We will be contacting any customers throughout the rest of the day that we feel need to be concerned. In addition to this we have been working with partners to ensure that all customer equipment or connecting networks are also up to date.

Should you have any concerns or queries then please contact the Astro Service Desk where we will be only too pleased to answer any questions or provide advice where we can.

[feather_share]