By now you’re probably aware that a serious Unix (Linux) vulnerability has been discovered. Named ‘Shellshock’, it affects Unix-based operating systems such as Linux and Mac OS X. If exploited, it can be used by hackers to gain remote control of servers and personal computers.
The aim of this post is to outline the steps we’ve already taken, and provide more details on what (if anything) you need to do.
This has been reported worldwide by the media and isn’t specific to any particular company, so if you have hosting elsewhere and you’re unsure of the steps your web host or server administrator has taken, it’s vital to find out. You will also need to check any hardware you own running a Unix-based OS (e.g. desktops and laptops), and install recommended updates if they allow external SSH connections.
All versions of bash up to and including 4.3 are vulnerable.
All supported Linux distributions are affected and have released patches.
More information from Red Hat: https://access.redhat.com/articles/1200223
Shared Web Hosting
In terms of your web hosting with Heart Internet, we have kept on top of the exploit and security issues since the vulnerability was first highlighted earlier in the week within the Linux community. If you have a shared hosting account with us, you do not need to take any action.
All Heart Internet infrastructure and shared web hosting servers (Starter Pro, Home Pro, Business Pro and Reseller Pro) were patched on Wednesday as soon as the initial vulnerability CVE-2014-6271 was announced. All Heart Internet infrastructure and shared web hosting servers were patched this morning (Friday) as soon as updates for CVE-2014-7169 were available.
Please rest assured that we will be keeping even closer watch on the situation and will implement any further security patches as needed; any updates will be added to the bottom of this blog post.
VPS, Hybrid Server & Dedicated Servers
If you have a VPS, Hybrid Server or Dedicated Server, these are unmanaged by us by default and you will need to update (and if you’re a Reseller, help/tell your own customers to update) if you haven’t already.
CentOS & Fedora use bash by default. To update:
yum -y update bash
rpm -q –changelog bash | grep -B1 -A1 CVE-2014-7169
This should return something like the following
* Thu Sep 25 2014 Ondrej Oprala <email@example.com> – 4.1.2-15.2
Once you have successfully updated we recommend that you reboot the server to make sure that there are no vulnerable invocations of bash running.
Ubuntu and Debian may not use bash by default. However, you still need to patch as bash is likely to be installed. To do this:
apt-get update && apt-get install –only-upgrade bash
Following the update, you should reboot the server to make sure that there are no vulnerable invocations of bash running.
Our security engineers apply patches and fix issues within all third party operating systems and code as needed with our systems and shared platforms. Very few attract media attention like Shellshock (and Heartbleed back in April), but in all cases we treat is as a crucial behind-the-scenes task and apply fixes the instant they become available.
We pride ourselves on fast action where security is concerned, and this is something we constantly monitor regardless of how small the bug or how much media attention it gets. From a security perspective, we treat all confirmed (and rumoured) vulnerabilities with the same top priority. If you have any questions or concerns, please raise a ticket with our support team and they will be happy to help out where needed.
Thank you for hosting with us, and I hope this alleviates any concerns you may have.