State and Federal Regulators: Financial Institutions Should Move Quickly to Address Shellshock Vulnerability

Financial institutions should quickly address the “Shellshock” vulnerability by applying patches to their Bash software, the Federal Financial Institutions Examination Council said Friday.

Bash, or Bourne-again Shell—a common software tool found in most UNIX, Linux, and Mac OS X operating systems and which also may be installed on Windows servers—is used to execute a sequence of commands. The “Shellshock” vulnerability could allow an attacker to execute malicious code on Bash and gain control over a targeted system. The pervasive use of Bash and the potential for this vulnerability to be automated presents a material risk.

Financial institutions and their service providers should assess the risk to their infrastructures and execute mitigation activities with appropriate urgency. Financial institutions should identify all servers, systems, and appliances that use the vulnerable versions of Bash and follow appropriate patch management practices1. Financial institutions relying on third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.

###

Attachment:

Bourne-again shell (Bash) “Shellshock” Vulnerability Alert (PDF)

References:

Bourne-again Shell (Bash) Remote Code Execution Vulnerability, CVE-2014-6271 and CVE-2014-7169
www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

FFIEC Information Technology Examination Handbook, “Development and Acquisition”
http://ithandbook.ffiec.gov/it-booklets/development-and-acquisition.aspx

FFIEC Information Technology Examination Handbook, “Information Security”
http://ithandbook.ffiec.gov/it-booklets/information-security.aspx

FFIEC Information Technology Examination Handbook, “Operations”
http://ithandbook.ffiec.gov/it-booklets/operations.aspx

Media Contacts: