By now you may have heard of the latest vulnerability that effects over 500 million devices around the world!! Not only are web servers effected by things like your security cameras, Android devices and even Mac OSX! Here’s a super detailed explanation from Troy Hunt:
Additional information from Trend Micro:
|A brand new vulnerability has been disclosed that will have widespread impacts.
The vulnerability, known as Shellshock (CVE-2014-6271 and CVE-2014-7169), is found in Bash, the dominant shell for Unix and Linux (default), and can also be found in Mac OS X, some Windows server deployments, and even Android. It enables remote code injection of arbitrary commands without authentication, which can then allow malicious code execution that could be used to take over an operating system, access confidential data, or set the stage for future attacks.
|NIST rates this a 10 (out of 10) on the severity score, based on the fact that it is 1) widespread and common, 2) easy to execute an attack (low complexity) and 3) no authentication required when exploiting Bash via CGI scripts. Unlike the recent Heartbleed vulnerability, this is even more prevalent and easily accessed, making it a much bigger risk to organizations.|
|Who is affected?
Any organization or user that has bash enabled on a server, desktop, or device is affected by this vulnerability. This includes the over 500 million web servers on the Internet today. As well, end-users’ accessing web sites or services being run on affected servers are vulnerable to their personal and business information falling into the wrong hands.
|What can customers do?
This is a critical vulnerability and should be addressed and patched as soon as possible. One big challenge is that there will be many patches that will have to be both produced and then distributed (ex: each Linux distro that uses bash will need to deliver a patch), making it very difficult to address quickly. The second is that many devices that could be compromised based on running Linux (ex: routers, medical devices) will not be easily patched.
|Trend Micro has two key recommendations for organizations:
|Specific Advice for Different Use Cases: