 |
 |
Kim, this was sent out last night from the IT Services Support desk: From: IT Services Support Desk [mailto:[log in to unmask]] Sent: Thursday, September 25, 2014 3:22 PM To: [log in to unmask] Subject: ShellShock Bug On September 24, we became aware of a new vulnerability referred to as the Bash Shellshock Bug. This should be treated as seriously as Heartbleed (http://heartbleed.com/). The ShellShock vulnerability affects Apache web servers and is vulnerable to remote code execution. Working exploits have been released to the public. A majority of web servers throughout the world running Apache are currently vulnerable to this new exploit. The exploit allows Administrator privileges on an affected system. Vendors are currently releasing patches, and some MSU teams have already begun patching. Please be aware that not all vendors have released patches yet, and additional patching may be necessary throughout the weeks to come. Details are posted on the National Institute of Technology's (NIST) CVE-2014-6271 website, at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 A list of affected packages can be found here: https://access.redhat.com/articles/1200223 Known Vulnerable Operating Systems: * Mac OSX * Ubuntu * Red Hat/Fedora * CentOS * Mint MSU Information Security recommends the following steps be taken immediately by all MSU IT teams: 1. Enumerate any devices that may be running Apache, especially focusing upon those with Operating Systems as outlined above. 2. Patch all potentially vulnerable systems immediately. Note: Not all vendors have released patches yet, so it is advisable that teams keep a list of those devices with services that have not yet been patched and continually check for patches until all services are secured. 3. The exploits may be used to upload malware to the web servers. Information Security recommends ensuring antivirus software is installed and updating virus definitions daily for all potentially affected systems. If you should require assistance for any reason or have any additional questions, please contact the IT Services Support Desk at (517) 432-6200 or via email at [log in to unmask] Thank you, MSU Information Security -----Original Message----- From: Stehouwer, Matt [mailto:[log in to unmask]] Sent: Friday, September 26, 2014 10:31 AM To: [log in to unmask] Subject: Re: [MSUNAG] Shellshock Take a look at this http://www.zdnet.com/shellshock-how-to-protect-your-unix-linux-and-mac-servers-7000034072/?s_cid=e539&ttag=e539&ftag=TRE17cfd61 Matt Stehouwer Technology Manager Michigan State University College of Natural Science Deans Office 288 Farm Lane RM 154 East Lansing, MI 48824 517 355-9003 | Email: [log in to unmask]<mailto:[log in to unmask]> Linked-In: www.linkedin.com/in/mattstehouwer/<http://www.linkedin.com/in/mattstehouwer/> -----Original Message----- From: Kim Geiger [mailto:[log in to unmask]] Sent: Friday, September 26, 2014 10:22 AM To: [log in to unmask]<mailto:[log in to unmask]> Subject: [MSUNAG] Shellshock If it's so all-fired important, how come I can't find anything about it at MSU.edu ? Anyway, I'm getting conflicting information from things I'm reading (apocalyptic) versus vendors who are telling me that I don't need to patch because the machine isn't running Apache. Is anyone else dealing with this? Does anyone care to offer an opinion? -- Kim Geiger WKAR Radio & Television, WKAR.org East Lansing, Michigan 517-884-4766