On September 26, 2014, the Federal Financial Institutions Examination Council (FFIEC) recommended that financial institutions move quickly to address “Shellshock” vulnerability. Shellshock vulnerability is a flaw in the GNU Bourne-Again Shell (Bash) software. Bash is the common command-line shell used in many Linux/UNIX operating systems and in Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system and gain control over a targeted system. To address the vulnerability, financial institutions should install existing patches to Bash software and pay attention for updated patches. Bash may also be installed on Windows servers where it is used to execute a sequence of commands. Shellshock vulnerability presents a material risk because of Bash’s wide use by financial institutions and given that there is the potential for attackers to execute arbitrary code via a crafted environment that enables network-based exploitation.
FFIEC reminded financial institutions and their service providers to determine the risk to their infrastructures and execute mitigation activities with appropriate urgency. Financial institutions should review the patch management, software maintenance and security update practices covered by FFIEC IT Examination Handbooks including, Development and Acquisition, Information Security and Operations and assess all servers, systems, and appliances that use the vulnerable versions of Bash and follow appropriate patch management practices. Financial institutions, including community banks, that rely on third-party service providers should also review the Office of the Comptroller of the Currency (OCC) Bulletin 2013-29 for assessing and managing risks associated with third-party relationships and ensure that their providers are aware of the Shellshock vulnerability and are taking action consistent with FFIEC and the OCC guidance.