On September 29, 2014, the FDIC, on behalf of the Federal Financial Institutions Examination Council, issued an alert to banks on recently discovered material vulnerabilities in the security of the GNU Bourne-again shell system software -- nicknamed “Bash” -- commonly used by bank servers and computers. Researchers reported the newly discovered vulnerability -- nicknamed “Shellshock” -- in Bash versions 1.14 through 4.3 on September 24, 2014.
According to the Alert, Shellshock may allow cyber-criminals to remotely access and gain control of bank operating systems, thus exposing both institutions and their customers to fraud and the loss of money and confidential information. The US Department of Homeland Security also released a Technical Alert about the Bash vulnerability.
The Bash software tool is used on banks’ Internet and email servers, as well as their physical security systems, to translate user instructions and input into commands that are understandable to a computer. Bash is used primarily with UNIX, Linux, and Mac OS X operating systems, although it can also be used on Windows.
The vulnerability is of particular note because of its potential for serious negative impact while requiring little skill to perform. The danger is heightened by the fact that Bash is so widely used by banks.
The FDIC noted that there is no definitive means of resolving the vulnerability as of present, although system providers are currently patching and updating their systems, and FFIEC member agencies will be conducting a risk assessment to address Shellshock.
In the interim, the FDIC advised banks to take the following steps:
- Identify servers, systems, and appliances that use vulnerable versions of Bash and follow patch management practices;
- Apply firewalls and filtering systems;
- Monitor systems for malicious or anomalous activity, and update signatures as a means of detecting intrusion;
- Ensure that third-party service providers take measures to identify and mitigate risk; and
- Review systems to determine if the vulnerability has already (and conduct a forensic examination of potential effects of a breach, if necessary).
Banks should also establish mechanisms for obtaining threat and vulnerability information and contact their system vendors for additional information. Contacts include
- The US Computer Emergency Readiness Team portal at US-CERT | United States Computer Emergency Readiness Team, or
- The Financial Services Information Sharing and Analysis Center at http://www.fsisac.com/