Shellshock Bash Bug Vulnerability

Shellshock-Bash Bug Resources

Apple Security Updates for Mac OS X:

OS X Lion (10.7.x)

http://support.apple.com/kb/DL1767

OS X Mountain Lion (10.8.x)

http://support.apple.com/kb/DL1768

OS X Mavericks (10.9.x)

http://support.apple.com/kb/DL1769

To check, run the following command in a terminal window :
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you are vulnerable, you will see two lines "vulnerable" and "this is a test".

If you are not vulnerable, you will only see the line "this is a test”.

Additional information:

• SANS Internet Storm Center (ISC) YouTube videos

Sep 29, 2014 - Latest update about the increasing number of bash flaws covered under the “shellshock” name. What is new and how to protect yourself

http://youtu.be/b2HKgkH4LrQ

Sep 25, 2014 - Briefing about the bash code injection vulnerability “Shellshock” (CVE-2014-6271 & CVE-2014-7169)

http://youtu.be/W7GaVyzkCs0

• SANS ISC constantly updated blog: https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+...

********************************************************************
Message Update to Campus

Many of you have read or heard about the Bash Bug also called Shellshock, a security vulnerability discovered in a commonly used utility within UNIX/Linux systems and Mac OS X.

If you are a UNIX/LINUX Sysadmin:
Administrators of UNIX/Linux-based systems should monitor their systems for both OS and application updates that address this issue.

This vulnerability affects UNIX/Linux-based operating systems and grants a potential attacker the ability to compromise the server or system itself. This may allow the attacker to load malware, download files and password/user databases, upload HTML and deface web pages, or subscribe to a bot-net used to hack, distribute malware, or perform DDoS (Denial of Service) attacks and other potential activities where the attacker has full access to the system.

Everyone else -- what should you do?

• Make certain your anti-virus/anti-malware scanners are up to date.
Even though this bug impacts mainly server systems, any compromised systems may be used to deliver malware to a host. Making sure your anti-malware software is up to date and actively scanning and updating on both Lehigh and home systems is important.
• Do not use dedicated-purpose PCs to surf the Internet.
Any PC that has a dedicated purpose for PCI (payment card industry) processing, etc. should not be used to surf the Web. As noted above, malware can be delivered via compromised systems.
• Apply the latest updates to your work and home computers - and your mobile devices.
If you administer server systems that utilize the Bash shell, make sure the system is updated and secure. Application updates will follow on the initial systems updates and should be applied expeditiously. Make sure PCs are updated as mentioned above.
• If in doubt, contact us
at the Help Desk (610-758-HELP) or email Information Security (security@lehigh.edu).

What is LTS doing?
Since Wednesday, September 24th, Library and Technology Services (LTS) has been patching systems, updating systems and applications deemed vulnerable, scanning for additional system vulnerabilities across campus, and notifying non-LTS custodians of affected systems. Thus far our population of impacted systems has been very low, but we are only able to scan active systems within Lehigh. Administrators of UNIX/Linux-based systems should monitor their systems for both OS and application updates that address this issue.

See LTS Alerts on the Inside Lehigh page for updates and recommendations.

Unlike the Heartbleed Bug that struck this spring that compromised OpenSSL Certificates, the Shellshock Bug is not as prevalent a vulnerability at Lehigh. However, as the level of compromise can be much greater and the Internet community as a whole is impacted, we as good Internet neighbors should be vigilant about updates being applied and Internet websites visited.

Sincerely,

Bruce M. Taggart, Ph.D.
Vice Provost, Library & Technology Services