ShellShocked web servers

Security news this week was dominated by the vulnerability in the the GNU Bash and Bourne Again Shell. This post is to allay any fears and confirm that all our servers are safe from this vulnerability.

The affected shells are common to many *NIX system such as Linux and Unix servers, and also Mac OS X machines. Windows machines do not use Bash and are thus not affected by this vulnerability.

The vulnerability allows an attacker to execute arbitrary commands on the machine, not only through the command shell, but also through some CGI web interfaces. If left unattended, servers vulnerable to this attack can fall under the control of bad people.

As soon as the news of bug CVE-2014-6271 broke, we tested all our Linux servers. About a third of of them were indeed vulnerable and we were able to plug the hole immediately. Unfortunately the initial patch was subsequently shown to be an incomplete solution, and a server exploit through a more extensive procedure was still possible. Enter bug CVE-2014-6271…

We are happy to report that a comprehensive bug fix was released earlier today to address all the known vulnerabilities. We have been updating and rebooting servers; all are now fully patched.