“Shellshock” – Bash Bug Vulnerability Alert

UPDATE 2: New Shellshock vulnerabilities have been reported as described on the Shellshock Wikipedia page. Dell is actively investigating, across our entire product base, the extent to which all of these vulnerabilities the CVE-2014-6271, a publicly disclosed vulnerability in the Bash command line interpreter, might be present and will be disclosing and remediating any issues as quickly as possible. UPDATE 1: You can check for a particular product or application’s status on this remediation page

Bash is the most widely-used shell on Linux-based systems and is also the default shell in Mac OS X Panther (version 10.3) and later Mac OS versions. Vulnerable Bash versions continue to parse commands even after a function definition, which is defined by the '() {' characters.  An attacker may use an arbitrary command to disclose sensitive system information, or to write files elsewhere on the server's file system (similar to a file upload vulnerability).

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary commands in the context of the vulnerable HTTP CGI server. Used in conjunction with other attacks, an attacker may be able to completely compromise a system.

Dell recommends that clients using Linux and Mac OS X systems determine if their version of Bash is vulnerable, and immediately apply the security update to vulnerable systems. As of this publication, most major Linux distributions have released an update that may be applied using the distribution's package manager system. Windows-only environments that do not use Bash are not vulnerable to this exploit.

Dell has a long-standing commitment to design, build and ship secure products and quickly address instances when issues are discovered. Our highest priority is the protection of customer data and information. We take very seriously any issues that may impact the integrity of our products or customer security and privacy. We will continue to communicate with our customers in a transparent manner.

UPDATE 3: For information on these vulnerabilities this vulnerability see CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187 on the NIST website.

About the Author: John McClurg