Kim, this was sent out last night from the IT Services Support desk:
From: IT Services Support Desk [mailto:[log in to unmask]]
Sent: Thursday, September 25, 2014 3:22 PM
Subject: ShellShock Bug
On September 24, we became aware of a new vulnerability referred to as the Bash Shellshock Bug. This should be treated as seriously as Heartbleed (http://heartbleed.com/).
The ShellShock vulnerability affects Apache web servers and is vulnerable to remote code execution. Working exploits have been released to the public.
A majority of web servers throughout the world running Apache are currently vulnerable to this new exploit. The exploit allows Administrator privileges on an affected system. Vendors are currently releasing patches,
and some MSU teams have already begun patching. Please be aware that not all vendors have released patches yet, and additional patching may be necessary throughout the weeks to come.
Details are posted on the National Institute of Technology’s (NIST) CVE-2014-6271 website, at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
A list of affected packages can be found here: https://access.redhat.com/articles/1200223
Known Vulnerable Operating Systems:
• Mac OSX
• Ubuntu
• Red Hat/Fedora
• CentOS
• Mint
MSU Information Security recommends the following steps be taken immediately by all MSU IT teams:
1. Enumerate any devices that may be running Apache, especially focusing upon those with Operating Systems as outlined above.
2. Patch all potentially vulnerable systems immediately. Note: Not all vendors have released patches yet, so it is advisable that teams keep a list of those devices with services that have not yet
been patched and continually check for patches until all services are secured.
3. The exploits may be used to upload malware to the web servers. Information Security recommends ensuring antivirus software is installed and updating virus definitions daily for all potentially affected
systems.
If you should require assistance for any reason or have any additional questions, please contact the IT Services Support Desk at (517) 432-6200 or via email at [log in to unmask]
Thank you,
MSU Information Security
-----Original Message-----
From: Stehouwer, Matt [mailto:[log in to unmask]]
Sent: Friday, September 26, 2014 10:31 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] Shellshock
Take a look at this
http://www.zdnet.com/shellshock-how-to-protect-your-unix-linux-and-mac-servers-7000034072/?s_cid=e539&ttag=e539&ftag=TRE17cfd61
Matt Stehouwer
Technology Manager
Michigan State University
College of Natural Science Deans Office
288 Farm Lane RM 154
East Lansing, MI 48824
517 355-9003 | Email: [log in to unmask]
Linked-In:
www.linkedin.com/in/mattstehouwer/
-----Original Message-----
From: Kim Geiger [mailto:[log in to unmask]]
Sent: Friday, September 26, 2014 10:22 AM
Subject: [MSUNAG] Shellshock
If it's so all-fired important, how come I can't find anything about it at MSU.edu ?
Anyway, I'm getting conflicting information from things I'm reading (apocalyptic) versus vendors who are telling me that I don't need to patch because the machine isn't running Apache.
Is anyone else dealing with this? Does anyone care to offer an opinion?
--
Kim Geiger
WKAR Radio & Television, WKAR.org
East Lansing, Michigan
517-884-4766