Shellshock vulnerability: What you need to know

Patch or get patched

Yesterday, Stephane Chazelas discovered a widespread software vulnerability affecting many computers and electronic devices around the world (published under CVE-2014-6271). This vulnerability, now being called “Shellshock,” takes advantage of a popular command-line software called “bash” in Linux and other operating systems, and makes it possible for attackers to send and execute remote commands on devices that use this software.

Bash, for those of you who don’t know, is a way to manage a computer from the command line (think black screen, green blinking text). And Linux is one of the most popular operating systems in the world. Web servers, computers, phones, routers, smart watches, kiosks, even really smart appliances in your home, use Linux. The MacBook I’m using to write this post uses bash. It’s affected by this vulnerability.

So what do you do about it?

In most cases, nothing. We’re patching our servers. We began patching our servers yesterday when we learned of the vulnerability. We’ve got a lot of work to do, but our goal is to finish patching by end of day today. We’ve also added additional security filters to protect your accounts while we patch our servers.

If you have a dedicated or virtual private server with us, you’ll need to take care of the patch yourself. We’re sending you instructions on how to do it and how to verify you’re good to go. If you want to get started now, you can follow the steps in this support article.

If you’re running your own server or using Linux as your desktop operating system (Ubuntu, Mint, or Mac), update your bash software as soon as you can. If you’re hosting your website somewhere else, contact your hosting provider to make sure you’re patched.

If you’re worried about your phone or computer or smart refrigerator, stay up to date on security patches. If they send you an update for your device in the next few days, install it.

We’ll continue to monitor what’s happening with Shellshock and continue to make updates as necessary. As soon as we’ve finished updating our servers, we’ll let you know.

UPDATE as of Friday (09.26.14): In shared hosting, we’re deploying the patch for the second Shellshock-related vulnerability released late last night, CVE-2014-7169. We should finish this second update later today. We’ve also sent patch instructions, which cover both Shellshock vulnerabilities, to virtual private and dedicated server customers. Thanks for all your help and support.

UPDATE as of Friday Evening (09.26.14): In shared hosting, we completed patching for both CVE-2014-6271 and CVE-2014-7169. We are now conducting an audit to confirm. Thank you for your patience as we wrap this up.

UPDATE as of Tuesday (09.30.14):  We have finished auditing our shared hosting and managed server environments. We’re continuing to work with any virtual private server or dedicated server customers that need help applying the patch.

UPDATE as of Thursday (10.02.14):  We have finished auditing all of our systems and applied the appropriate security patches. We’ll continue to support any dedicated server or virtual server customers that need help.

Image by: BottleLeaf via Compfight cc

Todd Redfoot
As Chief Information Security Officer at GoDaddy, Todd Redfoot makes it his mission to keep customer and company data and systems safe. In his spare time, Todd enjoys frequent trips to the beach with his wife and kids. Connect with Todd on LinkedIn.