CVE-2014-6271: Severe Bash Vulnerability Disclosed
Posted by Brent S. on 25 September 2014 12:40 PM
A major vulnerability in the Bash shell has been disclosed yesterday.
This vulnerability may impact many websites, content management systems, web applications and web server platforms. Any shell execution or shell function that is performed by a web application, including the storage of request data in environment variables, may present an attack vector that allows the execution of arbitrary code.
What this means:
Systems that have not updated their version of ‘bash’ and who provide web hosting in any form may allow remote attackers to upload files, execute arbitrary commands, capture sensitive data, generate SPAM and more.
This vulnerability was announced yesterday and the community has not had time to research the impact this has on individual products, but this may turn out to be one of the most significant vulnerabilities reported this year. You will likely start hearing about it in mainstream press as the week progresses.
What to do:
If you're currently subscribed to one of our server administration plans, our staff is already hard at work updating the version of 'bash' to keep your server up-to-date. These should be no interruption to service for any customer while this upgrade is happening.
Otherwise, if you are the administrator of a Linux server, update your version of ‘bash’ to a patched version immediately.
For example, an update for Ubuntu has already been released. If you are running Ubuntu, executing ‘apt-get update’ and then ‘apt-get upgrade’ without quotes should fix the issue for you.
The Touch Support difference:
We install a unique set of tools onto your server(s) when you sign-up for one of our server administration plans.
When these types of vulnerabilities arise, our team quickly identifies them and develops a plan to keep your data safe, which typically include software updates that are rolled out to all affected servers. Then, we check to make sure they are no longer vulnerable. But, we don't stop there.
Our proprietary system administration tools are then updated to include a check for the specific vulnerability so that our administrators are instantly notified in the future if there is an issue.
For more information:
Please reference the following sites for additional details: