Many vendors have released secondary or superseding patches to address additional vulnerabilities found after initial ShellShock-related patches had been applied. Subsequent security advisories on multiple platforms and applications continue to be released regarding numerous vulnerabilities related to ShellShock. Please continue to monitor vendor sites for further updates as some vendors have not yet released updated patches for this vulnerability.
Bash, the Bourne Again SHell, does not properly handle extra characters passed after function definitions, which may allow code execution. This vulnerability may be exploited when an attacker can control environment variables or HTTP headers passed to vulnerable services. Bash is directly, or indirectly, the default shell on many Unix, Linux and Mac systems so this vulnerability can have widespread impact. Windows systems with Cygwin installed may also be vulnerable. As well, many embedded systems run Linux and are vulnerable if Bash is installed. Proof of Concept code permitting remote code execution over the web is publicly available. Two patches have been released which address the original partial patch and a second related issue in Bash.
An attacker may exploit this vulnerability over the web by interacting with vulnerable cgi-bin scripts. Additionally, unpatched clients may be compromised by interacting with rogue services, such as DHCP and CUPS. Many Unix services parse environment variables by interacting with the shell, so there are numerous potential avenues of compromise.
Many vendors have released secondary or superseding patches to address additional vulnerabilities found after initial vulnerability patches had been applied.
All Bash versions prior to 4.3. On many systems /bin/sh is symlinked to /bin/bash. Debian and Ubuntu symlink /bin/sh to /bin/dash; however, they ship with Bash by default, so those systems will still be vulnerable.
UISO has observed widespread scanning for this vulnerability on the IU network.
ISO recommends applying patches as soon as possible. Please note there may be multiple patches from vendors and ensure your system(s) are fully patched and up-to-date.
Systems which do not have patches available or cannot be patched should be isolated from the network until patches are available.
Common Vulnerabilities and Exposure IDs
Due to the ongoing discovery of subsequent ShellShock vulnerabilities across multiple products and operating systems, please identify your vendors' security notices and patches as they relate to each CVE vulnerability announcement below: