Last week a serious vulnerability was announced affecting Unix and Linux based systems. This vulnerability, known as the “Shell Shock Bug,” affects the Bash script interpreter found on many of these systems (including Mac OS). Officially referenced in CVE-2014-6271, the NIST Vulnerability Database rates this vulnerability as 10 out of 10 on the severity scale as it allows the remote execution of arbitrary code and is a high impact, low complexity attack.
At PDHI, we take security very seriously and will continue to protect our clients’ data using the highest security standards. We have taken the following steps to address issues raised by Shell Shock.
- We reviewed all of the systems responsible for maintaining client information and confirmed that we do not use any Unix or Linux based servers, and so are not directly affected by the vulnerability.
- LightEdge Solutions, our data center vendor, has confirmed that Linux is used internally for some deployment automation, but that these systems are in a private network space that is not directly internet accessible, representing a low risk. LightEdge Solutions has a mitigation plan to patch the systems that could be affected.
For further information about the Shell Shock vulnerability, we recommend:
- National Cyber Awareness System – CVE-2014-6271