Bash and Shellshock - two words likely currently somewhere on your radar. Bash stands for Bourne-Again SHell. In simplest terms, a computer program that allows users to type commands and executes them. Shellshock is a nickname for a bug in the Bash (Bourne Again SHell) command-line interpreter, also known as a shell.
The quarter-century-old security flaw allows malicious code execution within the bash shell (commonly accessed through Command Prompt on PC or Mac's Terminal application) to take over an operating system and access confidential information. The Bash shell can also be found on many other systems, from Windows to Android. However it is not installed and/or used by default on these systems.
Like Heartbleed, the bug may affect a broad range of systems -- including Apache servers, web servers running CGI scripts, and embedded systems in everything from control systems to medical devices to digital cameras. As Fulcrum Company President, Steve Meek, observes, "the main concern area with this vulnerability isn’t our PCs and daily systems, but rather the hardware and appliances on our networks that we walk past every day without much thought.”
Here are some additional resources we hope you'll find helpful:
VENDOR LINKS
Where some common tech vendors currently stand in their remediation:
Most Common Vendors
| Vendor | Status | Where To Go For More Info |
| Cisco | Some products vulnerable but several already patched. More details at link. |
Cisco Security Advisory |
| Dell | Products under investigation and listed with status and recommended actions. |
Dell Bash Bug Remediation Statement for Products Affected, and Not Affected |
| Microsoft | Most Microsoft software doesn't use Bash, so users running Windows PCs, people with Windows phones, as well as websites built using Microsoft software, are probably safe from these attacks. | N/A |
| Sonicwall | Firewalls not affected. |
Dell Knowledge Base Article |
| VMWare | Previous ESX has issues but most ESXi have available patches. |
Other Vendors
| Vendor | Status | Where To Go For More Info |
| Android | Most Android phones ship with a competitor shell that, so far, does not appear to be vulnerable. | N/A |
| Apple | All of Apple's recent Mac computers are now safe. The move followed a statement by Apple late last week that most Mac users were safe from the security flaw, but it was "working to quickly provide a software update for our advanced UNIX users."In addition, Apple confirmed that iOS isn’t affected because it doesn’t have a shell that can be controlled by users. | Apple Support |
| DLink | D-Link is currently investigating its product-lines and will continue to update information.As of September 24, 2014, D-Link consumer wired/wireless routers and wired/wirless network cameras do not utilize the Bash command shell | DLink Security Advisory |
| Fortinet | FortiOS does not use the Bash shell. | Fortinet Blog |
| Linksys | BusyBox shell is what is used in Linksys routers and that shell is not affected. | Linksys Support Community |
| McAfee | Several McAfee products are vulnerable to the Bash/ Shellshock vulnerability | McAfee Security Bulletin |
| Netgear | Netgear Support Discussion Board | |
| Ruckus | Ruckus Security Information | |
| Switchvox | A Switchvox update that addresses this issue has been released in limited production. Please contact technical support for access to the limited production update. The update will be available to all Switchvox systems as soon as possible.Digium Gateways are NOT affected by this bug and no action is required. | Digium FAQ |
| Symantec | No known products affected. | Symantec Blog |
LINUX Vendors
| Vendor | Status | Where To Go For More Info |
| CentOS | Fix issued Wed., 9/24 | |
| Debian | Problem has been fixed in version 4.2+dfsg-0.1+deb7u1 | Debian Security Advisory |
| Novell/SUSE | The original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix | Novell Security Advisory |
| Red Hat | Various remediation steps are noted thru announcement in customer portal. | Red Hat Security Announcement |
| Ubuntu | In general, a standard system update will make all the necessary changes. | Ubunto Security Notice |
Other Resources For You:
ZDNet has a very thorough FAQ on Bash/Shellshock, here..
Two good articles from Information Week, Making Sense of Shellshock Attack Chaos and Bash Bug May Be Worse Than Heartbleed.