Posted on September 30, 2014 by Fusion Connect Security Team
As you may already be aware, security researchers announced a security flaw in Bash, a command processor on many computers running Linux operating systems and Apple OS X. The bug, known as Shellshock, is a hole in Bash that lets an attacker insert code into a victim’s computer in order to run commands and control a computer remotely. The attacker could potentially access files, operate programs, and copy and delete data.
At Fusion Connect, we take your privacy and security very seriously. We continually perform security audits and diligently and persistently monitor our network to ensure that there are no vulnerabilities that could affect the services provided to you, our customers. In addition, we perform stringent testing including detailed validation and certification of any new piece of equipment being introduced in our network prior to putting it in production.
Once Fusion Connect became aware of the Shellshock vulnerability, we moved quickly to address it. We have performed extensive security audits within our network and service platforms to check for this specific vulnerability. At this time, Fusion Connect has no evidence that the Shellshock bug was used to access any Fusion Connect data or services.
Fusion Connect has verified the security state of customer equipment and configurations utilized in Fusion Connect services, including CPE and other components. Fusion Connect has evaluated the following services for any impact relating to Shellshock bug with the following results:
- MPLS – Not impacted
- SSL VPN – Not Impacted
- Managed Security Services (MSS) – Not Impacted
- Voice over IP (VoIP) – Potential vulnerability identified and patch being implemented
- Email and Web Hosting – Potential vulnerability identified and patch being implemented
- Cloud Hosting – Potential vulnerability identified and patch being implemented
Fusion Connect is addressing the potential vulnerabilities listed above by implementing patches as they become available through our vendors. Fusion Connect will perform critical system patches within seven days of a patch release and non-critical system patches within thirty days of a patch release. We also recommend that our customers follow standard security best practices and use recommended security privileges across all systems.
It is important to note that this advisory only applies to Fusion Connect-provided systems, equipment and components. We strongly advise that you evaluate your own infrastructure, identify possible vulnerabilities, and resolve any issues promptly to include the swift application of any manufacturer security patches to your impacted systems.
For more information on the Shellshock bug, here is a helpful link: