ADAM and the Shellshock Bash bug

OVERVIEW



This article is intended to inform you of the impact of the Shellshock Bash bug on the ADAM application.

Shellshock is a security bug in the widely-used Unix Bash shell, causing Bash to execute commands from environment variables unintentionally.[1][2] While Bash is not an Internet-facing service, many Internet-facing daemons call Bash internally. An attacker can use an Internet-facing service that sets the contents of an environmental variable to cause Bash to execute the commands in the variable. Some web servers calling Bash files as CGI scripts are known to be vulnerable. DHCP clients are also potentially vulnerable, and more affected services are expected to be found (Wikipedia).


ADAM does not use Bash and thus is not directly impacted by this bug.


However, customers are advised to re-evaluate their ADAM infrastructure as ADAM might be using underlying network hardware and software including, but not limited to firewalls, routers, switches, reverse proxies and FTP servers that are vulnerable.

"... There are non-Microsoft components sitting in front of their Microsoft application stack, components that the traffic needs to pass through before it hits the web servers. These are also components that may have elevated privileges behind the firewall – what’s the impact if Shellshock is exploited on those? It could be significant and that’s the point I’m making here; Shellshock has the potential to impact assets beyond just at-risk Bash implementations when it exists in a broader ecosystem of other machines..." Troy Hunt

REFERENCES


http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html?m=1

http://www.openwall.com/lists/oss-security/2014/09/24/11

Was this article helpful?

0 out of 0 found this helpful