ShellShock Bug

ShellShock Vulnerability

Security Level – Critical (Highest Importance)

 Hello {$client_name}

{$client_first_name} with the announcement of the security issue labelled “ShellShock” We are releasing in-house patches to fix the issue, Most users will not be aware of this vulnerability yet so here’s a breakdown of what it is and what can happen, Early estimates suggest some 500 million sites are affected.

The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way – including any child processes spawned by the scripts – are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.

Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway

"Holy cow. There are a lot of .mil and .gov sites that are going to get owned," security expert Kenn White said on Wednesday in reaction to the disclosed flaw.

The 22-year-old bug, dating back to version 1.13, lies in Bash's handling of environment variables: when assigning a function to a variable, trailing code in the function definition will be executed, leaving the door wide open for code-injection attacks. The vulnerability is exploitable remotely if code can be smuggled into environment variables sent over the network – and it's surprisingly easy to do so.

According to the NIST vulnerability database, which rates the flaw 10 out of 10 in terms of severity:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Our Support Team has already delivered a patch to our nodes and VPS customers who have an LTSP will automatically be patched to protect against this bug during the course of today.  Users on all nodes can expect some high loads as we recompile the patch into our nodes and servers.

Do we have evidence of a compromise?

{$client_first_name} honest answer is no, but we also don’t have evidence of a compromise either which leaves everyone affected by this in a very uncomfortable place.  If any users have any concerns please submit a ticket to the team ( {$whmcs_url} ) and we will be happy to help. Please also be advised during this time tickets might be delayed in being answered as our team focus on patching the issue across our network.