(10-13-2014 02:33 PM)I45owl Wrote: Heartbleed I can understand as a nightmare. Shellshock didn't affect us at all, and I'd be surprised if it affected production financial servers, as I think it would mean that you're running cgi scripts. None of the servers I work with were affected by those two, as we didn't use openssl or bash in production servers.
I am beyond amazed that shell shock did not affect you. If you run Linux, ESX, or Solaris then you are one of the few orgs in the world than can say that.
Shell Shock was not just cgi scripts, it's an error in bash which allowed arbitrary execution of code to any service which could make a bash system call. That inlcudes java, php, jsp, (py/jy)thon, perl, and services like DNS, DHCP, and SMTP. Any time a developer said "F it, Ill ask the system what the time is, or Ill use the fopen for the file, they opened you up for this.
Heck my Bro-In-Law runs a lab with a Linux DHCP server. His admin walked with flipped open a clean laptop on their guest netowrk and changed the root password on half the systems in his infrastructure.
Shellshock is the only true 11/10 I have ever seen on the UNIX side of the house. Where heartbleed only effected rather recenter versions of openssl (1.0.1c-1.0.1f I think) the bash error has been sitting there for more than a decade. Funny enough heart bleed did not hit us at all because we were not running RHEL6.3/6.4/7beta at the time.
To be clear on the day it hit any UNIX machine running gnu bash (Linux, Solaris, along with some BSH/Aix/HPUX) were all impacted.
Besides UNIX operating systems you're also talking about linux/bsd based appliances (both real appliance like stoves and IT ones like SAN/NAS gear). It is also going to hit hypervisors like ESX and IBM's HMC's.
Heck I even saw a few advisories for CISCO networking gear, high end stuff. Lets just say that normally I have to beg to patch certain systems and when this one came out I got a blank check to patch whatever I wanted whenever I wanted. It took a few days but now everything I am responsible for is complaint.
If you have not re-mediated the patches you are sitting on a time bomb..