Bash/Shellshock Resources For You

October 2nd, 2014

Bash Shellshock Bug help from The Fulcrum Group, Dallas & Fort WorthBash and Shellshock - two words likely currently somewhere on your radar.  Bash stands for Bourne-Again SHell. In simplest terms, a computer program that allows users to type commands and executes them. Shellshock is a nickname for a bug in the Bash (Bourne Again SHell) command-line interpreter, also known as a shell.

The quarter-century-old security flaw allows malicious code execution within the bash shell (commonly accessed through Command Prompt on PC or Mac's Terminal application) to take over an operating system and access confidential information. The Bash shell can also be found on many other systems, from Windows to Android. However it is not installed and/or used by default on these systems.

Like Heartbleed, the bug may affect a broad range of systems -- including Apache servers, web servers running CGI scripts, and embedded systems in everything from control systems to medical devices to digital cameras. As Fulcrum Company President, Steve Meek, observes, "the main concern area with this vulnerability isn’t our PCs and daily systems, but rather the hardware and appliances on our networks that we walk past every day without much thought.”


Here are some additional resources we hope you'll find helpful:



Where some common tech vendors currently stand in their remediation:


Most Common Vendors


Vendor Status Where To Go For More Info
  Cisco Some products vulnerable but several already patched.
More details at link.
Cisco Security Advisory
  Dell Products under investigation and listed with status and recommended actions.

Dell Bash Bug Remediation Statement for Products Affected,  and Not Affected

Alert with Updates

  Microsoft Most Microsoft software doesn't use Bash, so users running Windows PCs, people with Windows phones, as well as websites built using Microsoft software, are probably safe from these attacks.  N/A
  Sonicwall Firewalls not affected.

Dell Knowledge Base Article

  VMWare Previous ESX has issues but most ESXi have available patches.

VMWare Knowledge Base



Other Vendors


Vendor Status Where To Go For More Info
  Android Most Android phones ship with a competitor shell that, so far, does not appear to be vulnerable.  N/A
  Apple All of Apple's recent Mac computers are now safe. The move followed a statement by Apple late last week that most Mac users were safe from the security flaw, but it was "working to quickly provide a software update for our advanced UNIX users."In addition, Apple confirmed that iOS isn’t affected because it doesn’t have a shell that can be controlled by users. Apple Support
  DLink D-Link is currently investigating its product-lines and will continue to update information.As of September 24, 2014, D-Link consumer wired/wireless routers and wired/wirless network cameras do not utilize the Bash command shell DLink Security Advisory
  Fortinet FortiOS does not use the Bash shell. Fortinet Blog
  Linksys BusyBox shell is what is used in Linksys routers and that shell is not affected. Linksys Support Community
  McAfee Several McAfee products are vulnerable to the Bash/ Shellshock vulnerability McAfee Security Bulletin
  Netgear Netgear Support Discussion Board
  Ruckus  Ruckus Security Information
  Switchvox A Switchvox update that addresses this issue has been released in limited production. Please contact technical support for access to the limited production update. The update will be available to all Switchvox systems as soon as possible.Digium Gateways are NOT affected by this bug and no action is required. Digium FAQ
  Symantec No known products affected. Symantec Blog



LINUX Vendors


Vendor Status Where To Go For More Info
  CentOS Fix issued Wed., 9/24

CentOS Now Blog

  Debian Problem has been fixed in version 4.2+dfsg-0.1+deb7u1 Debian Security Advisory
  Novell/SUSE The original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix Novell Security Advisory
  Red Hat Various remediation steps are noted thru announcement in customer portal. Red Hat Security Announcement
  Ubuntu In general, a standard system update will make all the necessary changes. Ubunto Security Notice




Other Resources For You:

ZDNet has a very thorough FAQ on Bash/Shellshock, here..

Two good articles from Information Week, Making Sense of Shellshock Attack Chaos and Bash Bug May Be Worse Than Heartbleed.