Shellshock Vulnerability Requires Attention
The following critical alert is pertinent to system administrators and requires immediate attention.
The United States Computer Emergency Readiness Team (US-CERT) issued two critical security alerts, CVE-2014-6271 and CVE-2014-7169 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169), regarding the recently discovered Shellshock vulnerability (previously called the Bash bug). The alert is the highest level alert that can be issued, rated 10 on a scale of 10. In comparison, the recent Heartbleed vulnerability was rated 5 out of 10.
Shellshock affects all devices running Gnu/Bash (including Unix, Linux, and Mac OS X operating systems). It gives attackers privilege escalation and the ability to execute arbitrary code on affected systems. As vendors make security patches available for this issue, they should be applied immediately.
As of September 25, previously released patches addressing CVE-2014-6271 were found to have not fully addressed the vulnerability, prompting the issuance of CVE-2014-7169. Consequently, system administrators should be on the lookout for updated patches for all devices running Bash.
As Information Technology (IT) staff identify methods for detecting the Shellshock vulnerability, Security Operations and Services (SOS) will scan for, identify, and notify Penn State IT staff about vulnerable devices on University networks. SOS will also continue to monitor for specific threats that could affect the wider Penn State community.
As this situation unfolds, SOS will release updated information as needed.