CSCur05434 - Emergency Responder evaluation for CVE-2014-6271 and CVE-2014-7169

Similar Messages

• NX-OS ( n7000-s1-dk9.5.1.3.bin ) BASH VULNERABILITY - CVE-2014-6271 and CVE-2014-7169

  Hi ,
  Nexus 7000 evaluation for CVE-2014-6271 and CVE-2014-7169 , I am referring below link to check for NX OS  - n7000-s1-dk9.5.1.3.bin
  https://tools.cisco.com/bugsearch/bug/CSCur04856
  5.1.3 is not mentioned in the affected list.Need help to know if 5.1 is affected with BASH Vulnerability .
  Thanks for help in advance .

  The concern with the bash shell is that services MAY be setup to run as
  users which use those shells, and therefore be able to have things
  injected into those shells. Nothing on NetWare uses bash by default,
  because NetWare is not anything like Linux/Unix in its use of shells.
  Sure, you can load bash for fun and profit on NetWare, but unless you
  explicitly request it the bash.nlm file is never used. On NetWare I do
  not think it is even possible to have any normal non-Bash environment
  variable somehow be exported/inherited into a bash shell, though I've
  never tried.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• CVE-2014-6271 and CVE-2014-7169 / Oracle Linux

  Hi ,
  patches required to resolve the vulnerabilities described in CVE-2014-6271 and CVE-2014-7169 in Oracle linux 5 (x86) is "bash-3.2-33.el5_11.4.x86_64.rpm "
  from where i can get this patch, its not availible on support.oracle/patches !!
  Thanks,
  Thamer

  Your Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
  You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5).

• Impact of CVE-2014-6271 and CVE-2014-7169 (Shellshock) on NetWare6.5 SP8

  Greetings, all...
  I see that Novell has a handy security note out regarding CVE-2014-6271:
  http://support.novell.com/security/c...2014-6271.html
  as it pertains to SUSE and SLE, as well as one for CVE-2014-7169:
  http://support.novell.com/security/c...2014-7169.html
  Testing in a bash shell on one of my NetWare boxes, I've been pleasantly
  surprised, though remain unconvinced that the older bash port is entirely
  free of vulnerability, here.
  Yes, I do have a couple SSL sites running on NetWare Apache (2.2.27), though
  I don't believe that anyone is using mod_cgi or mod_cgid.
  (BTW, if anyone needs patched versions of bash 3.0.27 for CentOS 4.8, I have
  32 and 64-bit binary rpms on my FTP server:
  ftp.2rosenthals.com/pub/CentOS/4.8 .)
  Just curious as to what the consensus is regarding NetWare with this thing.
  TIA
  Lewis
  Lewis G Rosenthal, CNA, CLP, CLE, CWTS
  Rosenthal & Rosenthal, LLC www.2rosenthals.com
  Need a managed Wi-Fi hotspot? www.hautspot.com
  visit my IT blog www.2rosenthals.net/wordpress

  The concern with the bash shell is that services MAY be setup to run as
  users which use those shells, and therefore be able to have things
  injected into those shells. Nothing on NetWare uses bash by default,
  because NetWare is not anything like Linux/Unix in its use of shells.
  Sure, you can load bash for fun and profit on NetWare, but unless you
  explicitly request it the bash.nlm file is never used. On NetWare I do
  not think it is even possible to have any normal non-Bash environment
  variable somehow be exported/inherited into a bash shell, though I've
  never tried.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• CSCur05017 - N5K/N6K evaluation for CVE-2014-6271 and CVE-2014-7169 - 4

  What about if we run an older version not listed in "Known Affected Releases"? We currently have 2 Nexus switches with engine 5.0(3)N2(1).
  Thanks for any input on that.

  There is one posted under "CER Upgrade Patch" , at least for 10. The bug report is not clear on that at all.
  Turns into: bash-3.2-33.el5_11.4
  after installing the patch.

• Telepresence endpoint evaluation for CVE-2014-6271 and CVE-2014-7169 aka "Shellshock"

  Please refer to the Cisco Security Advisory for more information.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  BUG ID: CSCur02591
  /Magnus

  Hi Magnus,
  Is blocking the management ports (HTTP/HTTPS/SSH/Telnet/basically everything under port 1024) sufficient to mitigate this issue for TelePresence systems?
  Or is the issue also present on the SIP and H.323 ports?

• CVE-2014-6271 and CVE-2014-7169 Patch Availability Document for Oracle Linux

  Hi,
  Can you suggest from where we need to download bash rpm for OEL 6 :-
  bash-4.1.2-15.el6_5.2.x86_64.rpm
  bash-doc-4.1.2-15.el6_5.2.x86_64.rpm
  Thanks in Advance !!
  Mukesh

  First see the document I linked about creating a local yum mirror (How to Create a Local Yum Repository for Oracle Linux). I very strongly recommend setting this up so your systems can get other updates besides bash.
  The individual RPMs can be found at Index of /repo/OracleLinux/OL6/latest/x86_64/ -- but I cannot stress the importance of updating entire systems rather than just bash. If you are not updating your systems periodically, bash is just one of your worries (as you're undoubtedly vulnerable to hundreds of other exploits in other packages besides Shellshock). Please set up an update repository and use it.
  Patching only the vulnerabilities you see in the news is equivalent to locking your home's front door, but leaving the security alarm disconnected and the back door held open with a doorstop. You need all the updates, not just bash.

• ASR1K GNU Bash Vulnerability Rommon requirement (CVE-2014-6271 and CVE-2014-7169)

  Does any one knows which version recommended ROMmon Release by 3.13.X
  Because there was no information by release note  
  Thanks a lot~

  Your Oracle Linux system should be configured to automatically install packages either from the Unbreakable Linux Network or public-yum.oracle.com. You might want to ask your Linux sysadmin for assistance if your servers aren't already configured for updates.
  You can also check Chapter 1 and Chapter 2 of the Oracle Linux Administrator's Guide for more details on using ULN or public-yum: Oracle® Linux (it's for OL6 but the concepts are the same for OL5).

• 6500 ACE MODULE: CVE-2010-4180 and CVE-2005-2969

  Hello,
  The version 3.0(0)A5(1.2) is vulnerable to these CVEs. I was looking for fix but it´s hard to find good information at Cisco Release Notes.
  the old versions: http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA2_3_x/Release/Note/RACEA2_3_X.html.
  I was checking if the version A5(3.0) would fix it, but nothing is said in release notes.
  http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_3_x/release/note/ACE_mod_rn_A53x.html
  Anyone know if newer version fixes it or know other source of information?
  Thanks.

  Hi,
  The first vulnerability has been documented by the ACE team under Cisco
  Bug ID CSCtk69440 (https://tools.cisco.com/bugsearch/bug/CSCtk69440).
  This vulnerability was resolved by the engineering team by disabling the
  affected function call.  This particular feature was not in use by the ACE
  device.  The issue was first resolved in Version 3.0(0)A4(1.0.72) back in
  2011.
  The second vulnerbility identified by CVE-2005-2969 does not have a public
  bug ID.  However, the engineering team has evaluated the impact of this
  issue.  The affected padding functions were never enabled in the ACE
  software and the device is not affected.  This would remain the case even
  if SSLv2 were to be enabled on the device for legacy browser compatibility.
  I hope it helps you.
  Regards,
  Felipe Lima

• Emergency Responder (E911) colocation?

  I have a client that has a cluster of Call Managers in a european country and would like to use that cluster for an office in Vermont USA and remove a local call manager there.  This vermont location currently uses an Emergency Responder server for Enhanced 911 services.
  Does any one see any issues using the E911 server across a T1 MPLS circuit.?   Does the E911 server need to be colocated with the cluster?  Are there bandwidth and latency requirements across the WAN?
  Are there any other issues you can foresee having the E911 server there?   Will E911 work with SRST in a failure situation?

  Many customer use CER for multiple locations within a CUCM cluster.  You should be able to do this, as for the configuration with SRST, I am not sure.  Since one of the major functions of CER is to identify phones in their physical locations you should be able to configure it such that all emergency calls in the Vermont location would egress their local GW's.
  You may wish to address the CER documentation to verify it meets your needs.  This documentation can be found at the link below:
  http://www.cisco.com/en/US/products/sw/voicesw/ps842/prod_maintenance_guides_list.html

• Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.

  Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.

  The official communication is now posted to
      https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169

• Bash bug  CVE-2014-6271 patch availability for OL4?

  Hi,
  Kindly advise how to download the CVE-2014-7169  CVE-2014-6271 security patches for Oracle Linux 4?
  Rgds;
  Shirley

  Exactly the same way as you would for OL5, OL6 or OL7: either connect your machine to the Unbreakable Linux Network or public-yum.oracle.com and use the up2date tool to upgrade bash.

• Is there a patch out for the bash bug (CVE 2014-6271)?

  Is there a patch out for the bash bug (CVE 2014-6271)? I saw one for Oracle Linux, so I hope there's one for Solaris as well.

  Hi,
  another approach could be to just build a custom bash package yourself using
  the available changes published here:
  https://java.net/projects/solaris-userland/sources/gate/show/components/bash
  That's the build infrastructure and source we use to build the official Solaris 11
  IPS packages.
  Regards,
  Ronald

• CVE-2014-6271 - Shellshock- NO fix from NOVELL for OES11 SP1

  there is NOT even a mention on Novell's site that I can see
  DISAPOINTED
  SUSE has !!!
  https://www.suse.com/support/kb/doc.php?id=7015702
  This DOES not FIX OES 11 SP1 Servers
  So SLES Sp2 fix yes but NOT OES - at lease does NOT seem to work for me

  Hi.
  Am 29.09.2014 08:46, schrieb bharat1:
  >
  > Most Customers have a 3-5 year Server replacement cycle and MANY will /
  > may not patch unless absolutely necessary.
  Not patching operating systems these days and ages is not going to fly.
  Especailly not if you want security fixes.
  > If its not broke - don't fix it.
  Define "broke". Did yourserver stop to work?
  > Two opinions
  > (1) Important FLAW like this should be publicly available.... IMHO :)
  But it is.
  > (2) a product should have MINIMUM 5 Years FULL support
  But it has. A service pack is *NOT* a new product.
  CU,
  Massimo Rosen
  Novell Knowledge Partner
  No emails please!
  http://www.cfc-it.de

• Bash CVE-2014-6271 Vulnerability

  Excuse me if this was already posted. I searched title's only for bash and 6271 and didn't see any results.
  Cut and paste from CVE-2014-6271 Bash vulnerability allows remote execution arbitrary code:
  This morning a flaw was found in Bash with the way it evaluated certain environment variables. Basically an attacker could use this flaw to override or bypass environment restrictions to execute shell commands. As a result various services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
  Details on CVE-2014-6271 from the MITRE CVE dictionary and NIST NVD (page pending creation).
  I’m currently patching servers for this. The issue affects ALL products which use Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by applications. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such!
  To test if your version of Bash is vulnerable run the following command:
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  If that command returns the following:
  vulnerable this is a test
  …then you are using a vulnerable version of Bash and should patch immediately. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:
  bash: warning: x: ignoring function definition attempt
  bash: error importing function definition for `x'
  this is a test
  Arch Linux CVE-2014-6271 patch:
  pacman -Syu
  Last edited by hydn (2014-09-28 20:57:41)

  On a related note.  I post this here as it might be of interest to some members....
  I just checked my DD-WRT based router for this vulnerability.   It comes stock with Busybox and does not seem to be vulnerable, but...   I keep bash on a separate partition which gets mounted on /opt.  That bash is vulnerable.  Until the DD-WRT project catches up, I suggest anyone using that router firmware consider disabling Bash for the time being and stick with BB.
  Also, as another aside, ArchArm has this fix in place now and is safely running on my Raspberry Pi.   
  I did kill the ssh service on the Windows Box that let me into bash via Cygwin.  Cygwin Bash is vulnerable as of when I began this post.
  Last edited by ewaller (2014-09-25 18:26:18)