European security researcher Stéphane Chazelashas discovered a critical vulnerability in the command-line shell known as Bash, or GNU Bourne-again Shell, the most widely deployed shell for Unix-based systems. The bug allows arbitrary, injected code to be executed as part of the assignment of environment variables. While Bash is deployed in many systems, including Linux, Debian, Ubuntu, MAC OS X, Android, and has even been ported to Windows, not all Bash implementations are vulnerable/exposed.
There is already a lot of media attention on the size and scope of this threat. The distinction between vulnerable hosts and truly exposed hosts becomes critical in this scenario. There are numerous variables required for exploitation to be successful. Our research teams are diligently analyzing the finer points of this threat and as more detail becomes available (and confirmed), it will be communicated quickly and clearly. At this time, we recommend following the guidance of affected vendors around the application of available patches and updates.
Critically exposed systems include, but are not limited to, those providing shells to remote users, parsing of CGI scripts, or executing remote commands.
How we’re addressing the problem
Several McAfee products/technologies have been updated to address or mitigate this issue. Please continue to watch this location, as this list will be continually updated as our analysis progresses.
- McAfee Network Security Platform –Coverage for Apache CGI and SSH is released.
- McAfee AV Engines – Coverage Released Today in DAT 7573
- McAfee Host Intrusion Prevention – Coverage exists on Linux and Solaris endpoints (Apache CGI). Further signatures will be included in an upcoming release.
How are McAfee / Intel Security Products Affected?
The following security bulletin was just released by McAfee’s PSIRT team. This document will be updated on regularly so please check back for further information.
What should users do?
Many Unix distributions have patches already available, and others will be available soon. Vulnerable systems should be patched as soon as possible, according to guidance from affected vendors/products.
To read details on the technical aspects of the Bash Bug see blog here: http://securingtomorrow.mcafee.com/mcafee-labs/dealing-bash-bug-2