You might have heard about a bug called “Shellshock” that affects all versions of the bash shell package published before September 26. We wanted to assure you that the Avangate system and services are not exploitable by this bug, and explain why.
Avangate’s IT team has monitored the Shellshock bug since it was first identified, and we’ve verified that our systems aren’t vulnerable to it. That’s primarily because we don’t expose any of our endpoints to shell execution. We also lack the necessary conditions for vulnerability to the bug, such as web exposed scripts able to run the bash commands. Only a limited number of people have shell access for Avangate systems, and this access is for administrative purposes only. Any shell access is protected within a firewall, and is also subject to various process audits, including PCI DSS regular security procedures. All Avangate vulnerable servers and systems were patched once the patches have been made available.
More about the bug: The bash shell package, or GNU Bourne Again SHell, is a command interpreter used by many Linux- and Unix-based operating systems, including Apple’s OS X, and is also part of many other servers, PCs, and other devices including Network Attached Storage. The Shellshock bug lets remote entities control affected systems by inserting commands in variables. It’s classified as extremely critical with severe exploitation risks by the US National Vulnerability Database (NVD), with a score of 10 out of 10 for impact and exploitability (see CVE-2014-6271 and CVE-2014-7169 for details).
At Avangate, we constantly monitor for potential threats from any source, and are confident in the security of our systems. This is a serious bug, and we encourage you to check your own systems for vulnerability. System updates are available from all web hosting providers to help protect your data, and we encourage you to work with your IT team to ensure you are not vulnerable to this serious bug.
If you have questions about this bug or about the security of Avangate services in general, please let us know at any time. It’s our job to make sure you are protected.
