The recently announced Bash Bug (also known the Shellshock bug) is a security flaw that affects operating systems that use the Bash shell.

  • Secure File Transfer/Biscom Delivery Servers running on Windows are not affected.
  • Biscom’s Secure File Transfer/Biscom Delivery Server Linux appliances are not vulnerable as provided out of the box, though the operating system they are built on does contain the bash shell and should be patched.
  • Any Linux SFT server only exposing HTTP and/or HTTPS to the public internet are not vulnerable to outside attack through the SFT application. If there are other web applications running on the server those could be vulnerable.

Patching

There is a patch available for the Bash shell that should be applied to all Linux systems.

To apply the patch to a Linux SFT Appliance that has web access run the following commands:

apt-get update

apt-get install bash

If your SFT appliance cannot directly download the patch from the internet, it can be be manually updated using the following steps:

Customers who have SFT/BDS installed on their own Linux servers should update the Bash shell through the normal update procedure for their OS.

The current patch limits vulnerability but does not fix the vulnerability 100%, and an updated patch should be available soon. Customers should upgrade again once a patch that completely fixes the bug is available.

Technical Details

There are three possible ways a Linux based SFT Server could be affected. Through the web server, through SSH, and through DHCP.

Through the web the bug can be exploited through the use of CGI scripts. SFT does not use CGI and appliance does not have CGI support installed. SFT servers installed on customer’s own operating system could be affected if CGI scripts can be launched by the web server.

SSH is used for remote access to the server and is not typically open to the public internet (though it could be). To exploit the bug through SSH an attacker has to log into the system through SSH first. The SFT appliance ships with only one account that can SSH in, the root account, which already has full access. If additional accounts have been added, and an attacker logs in as one of those accounts, they could exploit the bug to get root access.

SFT Servers typically use fixed IP addresses instead of DHCP and the appliance ships without dhcpd running. Customers running dhcpd are vulnerable.