ShellShock!

[Judgeneo]

Security flaw effecting the whole of BASH, which is about 500m devices world wide. Bigger than heartbleed.

Working hard here to fix our estate, get busy people!

http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

Also, I know that some consumer grade routers and switches also run bash, does anyone have a manufacturer list for effected network equipment I can start checking against?

 

[Judgeneo]

Cisco have released this advisory

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html

Cheers, I think I've identified all the servers for one of my clients (suppliers for the other one are terribly slow...), but the network applications are harder to find. Our F5 load balancers needed to be patched too.

 

[Judgeneo]

Its a full penetration testing that is to be done, done every month and this has been bought forward to today due to the vulnerabilty.

It has been outsourced, hence the 3rd party performing the test.

I myself have done some tests on internal appliance box that are not internet facing and the IBM Proventia IPS boxs are vulnerable (thry run Red Hat Linux)

Interested to know if your pentest came up with anything that wasn't expected?

 

[Judgeneo]

Although dont like it when testers fill a report with what amounts to a vulnerability scan.

Choose a better firm then


All all internet facing stuff got fixed last week, now is just cleaning up the rest of the estate. Many of the appliances need to be manually updated....