Shellshock is a nickname for a bug in the BASH (Bourne Again Shell) command-line also known as a shell. Due to it being widely adapted as a default command-line interpreter, many operating systems including Linux, Unix, BSD and Apple’s OSX can be vulernable to an attack. We are working with our vendors to quickly patch the Shellshock Bash vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) to our systems and are working with client’s to identify if their systems are affected by the vulnerability.
“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.” (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271)
For those that are using ESXi/ESX Hypervisor and products, please follow this KB from VMWare:
vSphere ESXi/ESX Hypervisor
“ESXi 4.0, 4.1, 5.0, 5.1, and 5.5 are not affected because these versions use the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell.
ESX 4.0 and 4.1 have a vulnerable version of the Bash shell. Although these versions have passed their EOL product cycle, VMware will provide a patch.”
For those that are using Citrix Xenserver Hypervisor and products, please follow this article from Citrix:
Contact us if you have any concerns regarding this Security Advisory on any services you have with RedOrum or any existing technology.