WASHINGTON (9/29/14)--The Federal Financial Institutions Examination Council (FFIEC) members are advising financial institutions of a material security vulnerability in the Bourne-again shell (Bash) system software widely used in servers and other computing devices that could allow attackers to access and gain control of operating systems.
The vulnerability, nicknamed "Shellshock," could expose organizations and individuals to potential fraud, financial loss, or access to confidential information.
Bash is a software tool found on many operating systems and is used to translate user instructions and other inputs into machine-readable commands. Financial institutions may have Bash present on a wide array of servers and network devices, including Web servers, email servers and physical security systems. On Sept. 24, security researchers reported the existence of Shellshock in Bash versions 1.14 through 4.3, which have been in use for decades.
The vulnerability potentially allows a remote attacker to run malware, or malicious code, on affected systems. Given the broad use of the Bash software tool, the vulnerability may be present in the computer systems of financial institutions, their members and customers, and those of their third-party providers.
Attackers could use the vulnerability to access and take control of systems, leading to a range of operational risks. These risks may include the loss of confidentiality, integrity, and availability of sensitive customer information and confidential business data. This access could lead to data destruction, disruption of operations and fraud, FFIEC said. (See related story: Security expert: Shellshock could cause 'chaos and mayhem.')
While vendors are working to patch and update their systems, the FFIEC member agencies expect financial institutions to conduct a risk assessment and address the Shellshock vulnerability as part of ongoing information security and incident response plans. FFIEC advices financial institutions to take the following steps, as appropriate:
The FFIEC is comprised of federal financial institution regulators, including the National Credit Union Administration.