Emergency Maintenance Applied - Bash

9/26 update:

We have completed emergency maintenance to close the new severe bash vulnerability named ShellShock.

I will be writing a security article on the vulnerability in the near future. Edit: here it is

Viking's network uses a mixture of operating systems that are tuned for security by our staff. Some important facts are: We do not use an OS that defaults to bash, but it does contain bash. Bash is disabled on all servers. We have taken the extra precaution of locking down bash with our intrusion prevention system, so even if a program calls bash, bash will not be able to access any resources to run, execute code, navigate, or utilize any resources.

All VikingVPN services are now hardened against the attack with multiple layers of protection. We do not believe we were vulnerable to attack via this vector originally, but these additional measures are precautionary.

No ShellShock related attacks were detected anywhere on our network.

More information:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

< last
next >