This past Wednesday, September 24th a vulnerability in bash was announced and I wanted to give a quick summary or run-down of the situation and how it may effect some of us. The vulnerability allows code execution in bash simply by setting certain specific environment variables. The vulnerability was originally found by Stephane Schazelas, and later Travis Ormandy disclosed a secondary exploit that manages to circumvent the initial patch. Given the fact this vulnerability revolves around using bash shells it has been given the name "shellshock". It has also been assigned two separate CVE numbers, CVE-2014-6271 for the original vulnerability and CVE-2014-7169 for the secondary variation.
Even though this vulnerability was just discovered and disclosed merely two days ago, it has already been patched as many times. The initial patch to fix the first disclosure, and another patch released Thursday September 25th to fix the secondary variation. These facts help reinforce the need for patch management and keeping systems up to date. It's generally pretty easy to mitigate most vulnerabilities once they're known, the trouble is maintaining patch levels and keeping track of everything. Many small businesses may not be running Linux in the first place and therefore have no chance of being directly vulnerable to this particular bug. There are still however valuable lessons to be learned from this. Even if your environment doesn't include any Linux systems, some of your business partners or service providers may and probably do use Linux. Any data or business functions shared by these entities for you now become vulnerable. This is why service contracts and service level agreements are such a valuable tool for businesses of all sizes.