[Faccus] Bashbug/ShellShock, statement from Information Security Services

Heather Wey hawey at uwaterloo.ca
Thu Sep 25 12:07:51 EDT 2014


From: Jason Testart, Director, Information Security Services

What is happening? Early Wednesday morning, we were made aware of a bug in the bash shell where arbitrary code could be executed by simple injection in the environment.  Bash is the default shell for Linux and Mac OS X. Every version through 4.3 is vulnerable (this could also affect embedded devices such as network attached storage (NAS), home routers, etc...)

What is the risk? While we know almost any device based on Linux/OS X is vulnerable, it is still unknown how exploitable this bug is.  If an attacker can exploit this bug, then they can gain access to internal data, reconfigure environments, insert malicious code, etc. It's almost limitless and it's also readily automatable.

What do system administrators need to do?  Upgrade or patch systems and devices, as updates/patches become available.  A priority should be web servers running any flavour of Unix/Linux (e.g. Apache servers where mod_cgi or mod_cgid are enabled), and OpenSSH servers where the "ForceCommand" feature is used.  Note: There are reports of patches not being entirely effective, systems should be monitored closely.
There's a simple test The Register suggests<http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/> which is running this command within your shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
If you get "busted" echo'd back you've exploited the bug and are therefore vulnerable.

What do clients need to do? If you're running OS X install updates pushed out to your system or device from Apple immediately when they arrive. Watch for any advice you may get from your vendor or other providers of devices you have that run embedded software. Note: As always, be cautious of emails requesting information or instructing you to run software - events like this are often followed by phishing attacks that capitalise on consumers' fears.

Questions/concerns? Please contact the IST Service Desk, helpdesk at uwaterloo.ca<mailto:helpdesk at uwaterloo.ca> or ext. 84357.

Recipients of this message: isthd; ist-staff; admin-support; faccus; mactug; uwweb; ctsc; ucist; SSO, MSC (CPA); Daily Bulletin


Heather Wey
IST Communications
University of Waterloo
519-888-4567 x35878
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/faccus/attachments/20140925/a0e1413d/attachment.html>


More information about the Faccus mailing list