Security Advisory - Bash "Shellshock" Vulnerability

Written September 30, 2014
On September 24th, Red Hat Software publicly disclosed a critical security vulnerability affecting Unix-based operating systems such as Linux and Mac OS. The vulnerable component, the Bash command line interface, is used throughout IT Freedom's network and server infrastructure. This email details the steps we have taken in response to this vulnerability and also provides additional information about how this issue might impact you.

What IT Freedom Has Done

IT Freedom uses firewall rule sets to deny public shell access to servers as a matter of general policy. However, in order to ensure that our networks and the networks of our customers would not be vulnerable to this bug--regardless of attack vector--our engineering team applied the patch to all of our managed servers within 5 hours of the patch's release.

On the evening of September 25th a second security announcement was released, stating that the first patch left a secondary vulnerability unaddressed. Updated patches were released within 45 minutes of this second announcement. Our engineering team applied this second patch to all managed servers within 2 hours of its release.

What IT Freedom Is Doing Going Forward
 
Our engineering and management teams will continue to monitor security lists and vendor news feeds for updates concerning relevant vulnerabilities. Additional updates will be provided if necessary.

What You Can Do

If you'd like to know more about this vulnerability, check out the United States Computer Emergency Readiness Team's post about it at:

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

If you're running Mac OS, keep an eye out for a patch from Apple (9/30/14 Update: This patch has been released). Software Update checks weekly for patches from Apple; if you'd like to get updates immediately go to System Preferences > Software Update > Update Now.

Finally, reach out to your other vendors to make sure that they're aware of the vulnerability and have a plan in place to mitigate its impact.
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.