Categories: FDIC

Technology Alert: GNU Bourne-Again Shell (Bash) Vulnerability

FIL-49-2014
September 29, 2014

Technology Alert: GNU Bourne-Again Shell (Bash) Vulnerability

Printable Format:

FIL-49-2014 – PDF (PDF Help)

Summary:

The FDIC, as a member of the Federal Financial Institutions Examination Council (FFIEC), is issuing the attached alert advising financial institutions of a material security vulnerability with Linux and Unix operating systems that could allow an attacker to gain control of a bank’s servers remotely. The vulnerability is commonly known as the GNU Bourne-Again Shell (Bash) or “Shellshock” vulnerability.

Statement of Applicability to Institutions with Less than $1 Billion in Total Assets: This Financial Institution Letter (FIL) applies to all FDIC-supervised institutions.

Highlights:

  • Bash is a software tool found on operating systems such as Linux and Unix and is used to translate user instructions and other inputs into machine-readable commands.
  • Financial institutions may have Bash present on a wide array of servers and network devices including web servers, email servers, and physical security systems.
  • Exploiting this vulnerability may allow attackers to potentially eavesdrop on encrypted communication, steal login credentials or other sensitive data, impersonate financial institution services or users, access sensitive email, or gain access to internal networks.
  • Financial institutions should assess whether this software is used within their institutions, and implement patches and upgrades following appropriate patch-management practices. Institutions should also monitor the status of their third-party service providers’ and vendors’ efforts to implement patches on software where Bash is present.
  • Examination guidance and additional information on patch management, software maintenance, and security updates can be found in the following FFIEC IT Examination Booklets:

Financial institutions should review U.S. CERT, GNU Bourne- Again Shell (Bash) “Shellshock” Vulnerability (CVE-2014-6271 and CVE-2014-7169) for additional information (see https://www.us-cert.gov/ncas/alerts/TA14-268A).

IR Press

Share
Published by
IR Press

Recent Posts

Treasury Issues Final Rule Expanding CFIUS Coverage of Real Estate Transactions Around More Than 60 Military Installations

WASHINGTON – Today, the U.S. Department of the Treasury (Treasury), as Chair of the Committee…

3 days ago

U.S. Department of the Treasury’s CDFI Fund and Federal Housing Finance Agency Collaborate to Bolster CDFI Access to Capital

WASHINGTON—Today, the U.S. Department of the Treasury’s Community Development Financial Institutions Fund (CDFI Fund) and…

3 days ago

Report on U.S. Portfolio Holdings of Foreign Securities at Year-End 2023

Washington – The findings from the annual survey of U.S. portfolio holdings of foreign securities…

4 days ago

READOUT: U.S. Department of the Treasury Hosts Roundtable Discussion on the Financial Sector’s Response to Recent Hurricanes

WASHINGTON – The U.S. Department of the Treasury hosted a roundtable on October 30 with…

4 days ago

READOUT: Sixth Meeting of the Financial Working Group Between the United States and the People’s Republic of China

WASHINGTON – The United States and the People’s Republic of China held the sixth meeting…

4 days ago

Treasury Sanctions Key Members of La Linea, a Group Involved in Trafficking Fentanyl into the United States

WASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned…

4 days ago