FNAL Critical Vulnerability - Bourne Again Shell (Bash) Remote Code Execution Vulnerability

Effective Date: Sep 26 2014
Product: Bourne Again Shell (Bash) through 4.3
Platform: Linux, Mac OS X

The Bourne Again Shell (Bash) contains a bug affecting Unix-based operating systems (e.g., Linux, Mac OS X). This bug may be exploited to execute arbitrary code on an affected system. An affected system may be vulnerable remotely if it is running a service in a crafted environment. Such examples may include be CGI scripts on a web server, environment values in CUPS or Postfix, scripts executed by unspecified DHCP clients, or involving the ForceCommand feature in OpenSSH.

As described above, if the service is exposed to the Internet, this must be patched by Sep 26, 2014. If it is internal (that is, accessible only from Fermilab), it must be patched by Oct 1, 2014.

Reference URLs:
http://www.scientificlinux.org/sl-errata/slsa-20141293-1/
https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271

For assistance contact servicedesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified on Oct 5, 2012.
(Address comments about page to the Computer Security Team.)