IMPORTANT ANNOUNCEMENT: This website was decommissioned on July 18, 2022

Posted on July 18, 2022

This site is no longer being updated with new postings. Please visit the UBC IT Status Page at https://status.it.ubc.ca for any new status updates and incident notifications. For operational status of our enterprise-level services, users can now subscribe in multiple ways that now includes push notifications:

  • Email
  • SMS
  • Slack integration
  • Twitter
  • Webhooks
  • RSS feed
  • Custom Embed via Status API

You will be redirected shortly to the Status Page or follow the link below to go there now.

Visit the UBC IT Status Page

 

IMPORTANT ANNOUNCEMENT: This website will be decommissioned on July 18, 2022

Posted on June 20, 2022

The UBC IT Bulletins site will no longer be updated on July 18, 2022 and users will need to visit its replacement, the UBC IT Status Page at https://status.it.ubc.ca, where they can view or subscribe to status updates and incident notifications.

UBC IT Bulletins was kept as a legacy site in order to temporarily maintain RSS feeds and intended to provide users time to switch their subscriptions to the Status Page channels.

Before the decommission date of July 18, 2022, we recommend visitors go to https://status.it.ubc.ca to begin subscribing to the new notifications the Status Page has to offer. For our enterprise-level services, users can now subscribe in multiple ways that now include customizable push notifications:

  • SMS messaging
  • Email notifications
  • Webhooks
  • Twitter feed
  • A general RSS feed
  • Custom Slack notifications
  • Custom embed code via an API

Visit the UBC IT Status Page

“Shellshock” Bash Code Injection Vulnerability

By admin on September 25, 2014

A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The vulnerability could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. For more information about this vulnerability, please see:

Risk

High

Impacted Systems

  • Any Linux–based systems (e.g. Red Hat, Ubuntu, Debian) running Bash 4.3 and below
  • Any Unix or Unix variant (e.g. Solaris, FreeBSD) running Bash 4.3 and below
  • Any appliances running Bash 4.3 and below
  • Majority of Mac laptops and desktops

Non-Impacted Systems

  • Microsoft Windows operating systems
  • Cisco Networking devices (e.g. Switches, Routers, Firewalls)

Recommendation

Apply the patches provided by corresponding system vendors

  • All major vendors have already released patches for this vulnerability
  • Most patches do not need a reboot

The patches are cumulitive; applying the latest patch covers the vulnerability fixes included in previous patches.

  • CVE-2014-6271: Published on Sept 24. First advisory regarding bash vulnerability
  • CVE-2014-7169: Published on Sept 24. Addressed the incomplete fix for CVE-2014-6271
  • CVE-2014-6277: Published on Sept 27. Addressed the incomplete fix for CVE-2014-6271 and CVE-2014-7169
  • CVE-2014-6278: Published on Sept 30. Addressed the incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
  • CVE-2014-7186: Published on Sept 28. Results in memory corruption
  • CVE-2014-7187: Published on Sept 28. Not considered to cause any security impact

The following Red Hat page contains the latest links to the CVE, https://access.redhat.com/announcements/1210053.

Vulnerability Checking

  • Nessus has released a plugin to check for this vulnerability
  • The vulnerability may be checked manually by executing the following at the Bash command:
    If upon running the test below and you receive the following response (in bold), the system is vulnerable:
    $ env ls='() { echo Vulnerable; }' bash -c ls
    Vulnerable

    After applying the patch, you should receive the following response (in bold):
    $ env ls='() { echo Vulnerable; }' bash -c ls
    Desktop Downloads Pictures Videos Documents Music Public

Exploits

Publicly available exploits are starting to surface

Attack Vectors

The following are the primary attack vectors:

  • SSH
  • ForceCommand feature in OpenSSH sshd
  • mod_cgi and mod_cgid modules in the Apache HTTP Server
  • scripts executed by unspecified DHCP clients

Useful Links

NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

US-CERT: https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

Further information about the Shellshock bug can be found on the IT website, including information specific to the UBC community at large: http://it.ubc.ca/bash-vulnerability-shellshock-exploit.

Disclaimer

This advisory was released shortly after the public announcement of the vulnerability. New facts are expected to surface shortly.

Posted in

Visit the UBC IT Website

Archives

RSS Feeds