What You Need to Know About the Bash Bug
As a follow up to our blog last week, here’s everything you need to know about the Bash Bug vulnerability, including what it is and how it can be exploited.
3 October 2014
Last week we shared news about the Bash Bug vulnerability. As a follow up to that blog, here’s everything you need to know about the Bash Bug.
What is Bash Bug?
Bash Bug (or Shellshock) is a vulnerability that exists in the Bash command shell, a commonly used application in many Unix-based systems, including those running Mac OS X or Linux. The Bash Bug could theoretically permit a hacker to steal information or load malware on a system if exploited effectively.
How can Bash Bug be exploited?
The vulnerability can only be exploited if an attacker successfully makes an application send a malicious environment variable to Bash. This is typically done through Web servers using a Common Gateway Interface. In this way, a hacker can direct a malicious environment variable to a Web server that is vulnerable.
Additionally, Linux-based routers that have a Web interface using a Common Gateway Interface can be exploited through a malicious command to the router. Computers running Mac OS X are also vulnerable and could possibly be exploited through Secure Shell.
If an attack is successful, hackers can dump files or malware on infected computers and compromise a network.
For Intralinks Customers
- Was customer data on the Intralinks Platform vulnerable? To date, we’ve determined that all Internet-accessible systems containing customer data are not vulnerable.
- As a customer, are there any steps I need to take to safeguard my data because of the Bash Bug? Customers do not need take any action at this time.
- What preventative measures were taken? Although Internet-accessible systems containing customer data were not at risk to the Bash Bug, we’ve nevertheless taken precautionary steps to prevent attack traffic reaching the Intralinks Platform. As a preventative step, we have identified and patched any instances of Bash on Internet-accessible systems.
- Were any of Intralinks’ solution partners vulnerable, and did this place customer data at risk? Our external content distribution provider was vulnerable to the Bash Bug. However, they have informed us that they completed all patching to their systems prior to the public announcement of the vulnerability. To the best of our knowledge, customer data was not at risk due to the Bash Bug.
- Are any of Intralinks’ systems that process client data or transactions, or perimeter systems that protect internal systems affected by the Bash Bug? To the best of our knowledge, the Intralinks systems that process client data and transactions were not at risk due to the Bash Bug. All data passing through perimeter systems is encrypted and therefore also not at risk. Though the servers that support the Intralinks Platform have BASH installed, and all instances of BASH globally were vulnerable to the Shellshock attack, the Shellshock vulnerability was never exploitable on the Intralinks Platform. Intralinks can state this definitively because the Intralinks Platform does not use BASH scripts as a part of the web interface.
- Does Intralinks have any confirmed breaches regarding the Bash Bug? To the best of our knowledge, there have been no suspected or confirmed breaches of the Intralinks environment.
- Is Intralinks continuing to taking steps to investigate whether the Bash Bug is an issue? Intralinks has already performed a thorough review of our systems and infrastructure to understand if there were vulnerabilities to the Bash Bug. To date, we’ve found no issues in our servers. From an abundance of caution, we’ve taken steps to patch and mitigate all Internet-accessible systems. We will continue to monitor this issue, but at this time we don’t anticipate a change to the current status.
For Non-Intralinks Customers
This is a critical vulnerability, one that has serious consequences if you’re affected. If you think that Bash Bug has put your company at risk, take steps today to protect your information. Apply patches as soon as possible to reduce your organization’s risk of being compromised.
Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.