ALERT: Updated IIA Advisory - Remote code execution through bash (CVE-2014-6271, CVE-2014-7169)

Friday, October 17, 2014

10/17/14 update: 
100% of ITS-managed servers and components have been patched or secured to prevent exploitation.

10/3/14 update: 
For a good technical summary of the bash vulnerabilities and how patches were developed to mitigate them, see this blog post: Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78) (lcamtuf's blog, 10/1/14)

9/30/14 update: 
Apple has released patches for OS X:

MiWorkspace users should wait for the update package to appear in Managed Software Center.

The information below was sent to the U-M IT Security Community and other IT staff groups September 29, 2014.

This is an update to the IIA Advisory you received last week about the Shellshock Bash Bug:


 Bash maintainers have released patches in response to the Bash vulnerabilities (CVE-2014-6271 and CVE-2014-7169) as of 9/28/14. At this time, a final patch for RedHat Linux servers has not yet been released.

Action Items

Monitor vendors for associated updates and apply appropriate patches to affected systems. Following patching, review logs on affected systems for anomalous behavior that may indicate potential compromise or exploitation. Any indications of potential exploitation should be reported to Information and Infrastructure Assurance (IIA) at [email protected] for further evaluation. Additionally, if you have systems that cannot be patched rapidly, please contact IIA to discuss alternate mitigation possibilities.

Information for Users

 ITS is actively patching affected ITS-managed servers. Future Red Hat patch releases will be tested and applied when they become available.