If you haven’t heard of Shellshock and rely on web-based services, you need to be aware. And make sure the folks who run your services are on top of this issue.
As reported by the Washington Post:
The National Institute of Standards and Technology’s National Vulnerability Database scored the vulnerability as a “10,” on a scale from one to 1o, on both impacts and exploitability. US-CERT also issued an advisory, saying “exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.”
That means that someone could remotely take over a server.
From the perspective of mass emergency alert providers, that could mean serious trouble. We should all remember the incident last year when the emergency alert system at a Great Falls, MT television station was hacked and sent out bogus warnings that “dead bodies are rising from their graves”. So a hacker could potentially take over some other emergency alert service to send out similar warnings – or worse.
All the major emergency alert service providers (CodeRed, Everbridge, Hyper-Reach, etc.) use web-based services to enable their clients to send out alerts. Unless the servers that provide the web interface are protected from hackers, there’s a serious risk.
If you use Hyper-Reach, you’re protected by an IT team that takes security seriously. Our servers were patched within hours of the news of this vulnerability. And we’re tracking the issue closely, which is important, since there have been at least three new bash-related vulnerabilities reported.
If you don’t use Hyper-Reach for emergency alerts, check with your vendor. It’s important. And if you use other web-based services, you should check with them as well.