Security Alert: Linux, Mac OS X, and Other UNIX Systems Threatened
A serious vulnerability has been discovered in the bash shell used as default in many UNIX-like operating systems. This includes Linux, Mac OS X, and many others. This vulnerability allows remote attackers to execute arbitrary code through the Apache web server, OpenSSH, the DHCP client and other situations.
This means that almost any UNIX-based device exposed to the Internet, including embedded devices like network attached storage (NAS) units, webcams, routers, etc., are probably vulnerable. Microsoft Windows machines are not affected.
On Linux machines, update bash as soon as possible. Almost all distributions of Linux use bash as the default shell. The current versions of bash available from RedHat and other other vendors are incomplete patches. They fix the most important part of the problem, but not all of it; you'll need to patch again later in the day.
Apple has not released a fix for bash yet. It is not included in the "Command Line Tools (OS X 10.9)" update released on Wednesday.
ITS is responding to this threat in the following ways:
- Installing patches and mitigating workarounds on ISU central systems
- Monitoring network traffic to identify attacks from off-campus and blocking them where feasible
- Monitoring network traffic to identify systems on campus that have been exploited
- Searching for on-campus systems that are vulnerable so we can provide direct notification to their administrators
- Providing information and encouraging everyone to install patches to their systems as soon as possible
The SANS Internet Storm Center has put together a list of frequently asked questions (FAQ) about this vulnerability. This flaw is covered by two NIST advisories in the National Vulnerability Database, CVE-2014-6271 and CVE-2014-7169 where more information is available.
To help prevent fraud, forward any suspicious messages to . The ITS security team will investigate the issue and contact you if they need more information.