Shellshock – the information you need

Dominique Watson
  • Updated
Follow

By now, you should have heard of “Shellshock” and it’s hopefully not causing you too much of a headache.

US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system and have issued two CVE’s,  CVE-2014-6271 and CVE-2014-7169  accordingly.

For more information from US CERT, please see the following links.

Shellshock Alert

CVE-2014-6271

CVE-2014-6279

The following article also helps to explain more about the bug: http://www.engadget.com/2014/09/25/what-is-the-shellshock/

We have been keeping up with all the latest information from our partners regarding which products may be affected and any solutions or work-arounds they have put in place.

Riverbed

Riverbed have released information relating to each of their products that tell you what exactly is affected, how it is affected and how to put work-arounds in place on their support pages.

Update @ 06/10/2014

Please note:  Riverbed have updated their Shellshock support article (S24997).

Talari

Talari Networks has sent an email out to their customers advising which appliances and software versions are affected. They are looking to release updated software within the next 24 hours to resolve these issues. If you have not received this email from Talari, please contact us and we can pass the information on.

Update @ 29/09/2014

Patch for APN 4.0 Available

Appliance Platforms Impacted:

T510, T730, T750, T860, T3000, T3010, T5000

Software Versions Impacted:

APN Software 4.0

Summary:

APN Software Release 4.0 GA P4 H4 is now available on the Talari support site at:

 http://www.talari.com/support/release_40.php

This release contains the fix for the Shellshock bug. All customers running APN Software 4.0 are encouraged to install this hyperfix. Customers not yet running 4.0 are strongly encouraged to upgrade at the earliest possible opportunity. Next week, a release to correct the problem will be made to APN Software 3.1.

Prior to installation, please review the release notes as there is important information regarding the installation. The release notes are available at:

http://www.talari.com/support/pdf/r40/4.0_GA_P4_H4_Release_Notes.pdf

What is vulnerable:

This issue exists in all versions of Talari APN Software. The management interface to a Talari APN Appliance, which uses the Bash shell, may be vulnerable. By design, the only way to access the management interface of a Talari APN Appliance is via a separate physical Ethernet interface that typically should be on a trusted and secure segment.

What is not vulnerable:

Conduit traffic (TRP) and the functionality of the forwarding plane is not vulnerable. There is no way to get to the management interface of a Talari APN Appliance through the In-band interfaces so any In-band interfaces in untrusted zones are secure.

Allot

Teneo is waiting for the vendor’s confirmation if CVE-2014-6271 affects any of their products.

Castle Rock

Teneo is waiting for the vendor’s confirmation if CVE-2014-6271 affects any of their products.

Update @ 29/09/2014

Castle Rock Support confirmed that none of the shellshock issues affect their SNMPc Products.

 

Infoblox

#3228: Infoblox, Inc. -- Initial Response to CVE-2014-6271, CVE-2014-7169
Published 09/25/2014 09:06 AM   |    Updated 09/25/2014 12:40 PM

Regarding the recently announced vulnerabilities in the bash shell (CVE-2014-6271, CVE-2014-7169): Our current assessment is that the Infoblox DDI product family running NIOS, and the Infoblox Network Automation product family (NetMRI, Automation Change Manager, and Switch Port Manager) are not directly vulnerable to these exploits. For those NIOS customers using Bloxtools, a custom development environment, the Bloxtools environment may be vulnerable. We are investigating this further and will update ASAP.

As a best practice measure, Infoblox will be providing updates to current NIOS and Network Automation versions to replace the version of bash installed. Once more detail is determined a Knowledge Base Article will be posted with full details and references.

Update 15/10/14


#3234: NIOS products not vulnerable to CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187
Published 09/26/2014 03:01 PM   |    Updated 10/13/2014 04:17 PM

Regarding the recently announced vulnerabilities in the bash shell (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187):

Our assessment is that Infoblox DDI products running NIOS are not directly vulnerable to these exploits.
However, for NIOS customers using Bloxtools, the Bloxtools custom development environment may be vulnerable.

As a best practice measure, Infoblox has provided the following patches to replace the installed version of the bash shell in current NIOS versions:

  •     NIOS 6.8.10 and NIOS 6.8.11
  •     NIOS 6.10.8 and NIOS 6.10.9
  •     NIOS 6.11.4 and NIOS 6.11.5


These patches can be downloaded from the Infoblox Support website.

For information about Network Automation products and vulnerability to CVE-2014-6271 and CVE-2014-7169, see KB 3235.
Please get in touch with Teneo Support at support@teneo.net  if you do not have access to the patches.

 

#3235: Network Automation products vulnerable to CVE-2014-6271 and CVE-2014-7169 and related exploits
Published 09/26/2014 03:35 PM   |    Updated 09/30/2014 05:28 PM

Infoblox has determined that all versions of its Network Automation products NetMRI, Automation Change Manager, and Switch Port Manager are vulnerable to the exploits described in CVE-2014-6271, CVE-2014-7169, and other related exploits.

Infoblox continues to diligently monitor the situation and will continue to issue updates to hotfixes as issues are found and corrected in the bash program.

Important Note: New and updated hotfixes for these vulnerabilities are attached and previously provided hotfixes have been removed. Infoblox strongly recommends that customers immediately apply the relevant hotfix.

The previous hotfixes provided by Infoblox for these CVE issues have been superseded by the latest hotfixes attached at the bottom of the KB. These latest hotfixes should be applied immediately, regardless of whether previous hotfixes were applied. These new hotfixes contain all of the fixes that the previous hotfixes had, as well as additional fixes to further mitigate this issue. The newest hotfixes will overwite all previous hotfixes which may have installed.

Note: Are you currently running a version of Network Automation for which a hotfix is not provided? Upgrade to one of the releases for which a hotfix has been provided before you apply the hotfix.

To apply a hotfix:

1. SCP the hotfix to the appliance.

2. Run the command autoupdate <filename.gpg>, where <filename> is the name of the file which has the extension .gpg. A dialog box opens with information about the hotfix and a prompt (y/n).

3. Press y to install the hotfix. The appliance restarts after you install the hotfix.

4. To confirm that the hotfix has been installed, issue the CLI command show updatehistory.

For information about the NIOS family of products and vulnerabilities described in CVE-2014-6271 and CVE-2014-7169, see KB 3234.
and please get in touch with Teneo Support at support@teneo.net  if you do not have access to the hotfixes.

 

Palo Alto Networks

Palo Alto Networks intends to release an emergency content IPS coverage for CVE-2014-7169 within the next 24 hours.

Bash Shell remote code execution - CVE-2014-6271 vulnerability information:

Wednesday, September 24th, Palo Alto Networks became aware of a remote code execution vulnerability in the Bash shell utility, CVE-2014-6271. The vulnerability allows for remote code execution through multiple vectors due to the way Bash is often used on linux systems for processing commands. 

IPS Signature Mitigation CVE-2014-6271:

Palo Alto Networks has released an emergency content update the same day, on September 24th, that provides detection of attempted exploitation of CVE-2014-6271 with IPS vulnerability Signature ID: 36729 "Bash Remote Code Execution Vulnerability" with Critical severity and default action of "Alert." Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices. If you have any questions about coverage for this advisory, please contact Support.

Product Vulnerabilities:

The Bash vulnerability currently appears to be a low severity issue as it only could be exploited by authenticated administrators.  Normal PAN-OS maintenance release updates will provide a fix for the vulnerability. 

We will continue to update you as additional information is available. 

Announcement expires on September 29, 2014

Palo Alto Networks (Update as of 26/9/2014)

Application and Threat Content Release Notes

Version 458

Notes: Release notes for emergency content release for CVE-2014-6271 update and CVE-2014-7169

Thursday, September 25th, Palo Alto Networks became aware of additional vulnerabilities with the Bash shell utility. The fixes for CVE-2014-6271 were incomplete from Operating System vendors and there is a new vulnerability, CVE-2014-7169, that describes this issue. To address this new vulnerability, Palo Alto Networks is releasing an emergency content update that provides updated detection of both CVE-2014-7169 and the previous CVE-2014-6271 vulnerability with an update to the IPS vulnerability Signature ID: 36729 "Bash Remote Code Execution Vulnerability" with "Critical" severity and default action of "Alert".

•              Additional information on the vulnerabilities: http://seclists.org/oss-sec/2014/q3/650 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

Palo Alto Networks is also adding coverage for the DHCP attack vector for CVE-2014-6271 with IPS vulnerability Signature ID: 36730 "Bash Remote Code Execution Vulnerability".

•              Additional information on this attack vector can be found here: https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

Palo Alto Networks is also adding two Spyware/Command and Control signatures seen in attacks related to the Bash vulnerability.

•              Spyware C&C Signature ID 13729 "Bash0day BackDoor" to detect the linux ELF file.

•              Spyware C&C Signature ID 13730 "Bash0day BackDoor" to detect command and control of the backdoor.

•              More information can be found here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987

Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices. Customers should review their policies and ensure the desired actions are enabled for your environment. If you have any questions about coverage for this advisory, please contact Support.

Keep up to date with the latest news

The Teneo Technical Support Team will be keeping up to date with all of the latest information and updates, so please get in touch with any questions or concerns at support@teneo.net

To keep up to date with what we know, follow us on Twitter

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk