What is the ShellShock vulnerability and how do I know it exists on my systems?

A new vulnerability has been found that potentially affects Linux, UNIX and Mac OS X operating systems. First disclosed on September 24, 2014 and commonly known as the “Bash Bug” or “ShellShock”, the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271 and CVE-2014-7169) could allow attackers to gain control over a targeted computer if exploited successfully, giving them access to your data and networks.

The vulnerability leverages the Bash shell, a command language interpreter. An attacker can attach malicious code to environment variables that affect the way processes are run on a computer.

If you are using versions of Bash in operating systems based on SUSE Linux Enterprise 9, 10 or 11, your servers are potentially at risk. If your systems are affected, we recommend that you patch your systems right away.

SUSE Manager can also be used to verify the status of your systems, and apply the ShellShock patches if necessary. Watch this video to see how quick and easy it is to verify, patch and audit your systems with SUSE Manager.

Is a patch available for me if I have current subscriptions and am running the most current version of SUSE Linux Enterprise 9, 10 or 11? What if I'm running earlier versions and have subscribed to Long Term Service Pack Support?

Yes and yes. There are two patches that close this vulnerability that you can access and apply, if you are a current customer with active support subscriptions, or a current customer with active support subscriptions and Long Term Service Pack Support (LTSS).

These patches are available through SUSE maintenance channels for your particular operating system. Instructions for how to get access to these patches and update your systems is available through SUSE Update Advisories. Additional information about the process is available through this SUSE Knowledgebase entry.

What if I'm a current customer but I'm using older operating systems for some of my servers without a support contract like Long Term Service Pack Support for those older versions? Can I still get the patches?

Yes. Our primary concern and first priority is to make sure that your systems are secure.

Given the widespread use of Bash and its inclusion in multiple generations of our operating system products, we consider this to be an extraordinary circumstance. We want to make sure that all of your systems are protected, even those that you may have inadvertently chosen to run in an unsupported fashion.

In order to get access to these patches, we've created a special entitlement for you. Please go to our patch finder site to access and download the patches that you need. Alternatively, you can notify your local contact at our global technical support organization. Once they have confirmed that you are a current customer with active support subscriptions, they will help you open a service request and provide you with instructions on how to access the security patches for your earlier, unsupported operating systems.

What if I'm using SUSE Linux Enterprise-based operating systems offered by public cloud service providers, such as Amazon Web Services? Do I need to patch those systems?

If you initiated service on or after Saturday, September 27, at 2 PM EDT, then your systems have already been patched and are secure. If your services were started prior to that date, your systems are potentially at risk. In order to ensure that your systems are secure, we recommend that you restart your services on secure systems, or patch your existing systems following the instructions described in the SUSE Linux Enterprise Server, AWS Updates & ShellShock blog.

What does the patch address or not address? Do I need to do anything else after applying the patch to make sure I'm no longer vulnerable?

Applying the two patches eliminates the ability to append the Bash environmental variables with malicious code. After applying the patches, there are no additional tasks required to ensure you are no longer vulnerable.

SUSE works around the clock to fix known security issues that impact its supported products. When we become aware of an issue and a patch is created, we provide this information to our customers through security updates. As a general rule, we recommend that you watch for these updates and apply any patches that are critical to keeping your systems secure.

Customers can choose to be notified daily or weekly, via email or RSS, about just security updates, or all of the updates that are available for their systems. Go to our patch finder page for more information about how you can subscribe to proactive notifications.

After first hearing about this ShellShock vulnerability, I've since heard about other related security issues. Are there additional issues, and does it affect my systems?

There have been additional disclosures about related security vulnerabilities involving the Bash shell, but your SUSE Linux Enterprise-based systems are not impacted if they have recently been patched. The patches provided for CVE-2014-6271 and CVE-2014-7169 also take care of these new issues. CVE-2014-6277 and CVE-2014-6278 describe these new issues in greater detail. More information is also available at this knowledgebase entry.

What's the best way to make sure I always receive security updates for all my SUSE Linux Enterprise-based systems as quickly as possible?

The best way is to ensure that you have active subscriptions for all your systems and are running current versions that are within their support life cycle. If you need to run an older version that is out of its standard life cycle, you should purchase extended life cycle support, such as our LTSS offering. For more information on purchasing subscriptions and LTSS, contact your SUSE sales representative or partner.