FFIEC Advises Financial Institutions to Move Quickly to Address Shellshock Vulnerability
September 29, 2014 – The Federal Financial Institutions Examination Council (FFIEC) announced late Friday that, due to the vulnerability reported in the GNU Bourne Again Shell (Bash), “financial institutions and their service providers should assess the risk to their infrastructures and execute mitigation activities with appropriate urgency.”
Bash is a common software tool found in most UNIX, Linux, and Mac OS X operating systems which also may be installed on Windows servers. It is used to execute a sequence of commands. A Department of Homeland Security (DHS) Computer Emergency Readiness Team (US-CERT) alert released on Thursday said the vulnerability in the Bash ("Shellshock," a.k.a. "Bash Bug") can exploit command access to Linux-based systems and adversely impact a majority of the Web servers around the world, as well as Internet-connected devices on the Mac OS X platform.
The FFIEC advised financial institutions to “identify all servers, systems, and appliances that use the vulnerable versions of Bash and follow appropriate patch management practices.” Furthermore, they said, “financial institutions relying on third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.”
To read information from the FFIEC about this vulnerability, click here.