Shellshock Vulnerability

Similar Messages

• ShellShock Vulnerable products

  Hello
  We have Cisci UCS blade servers B420 M3 serial : FCH1710J7JP
  and the Fabric Interconnect : UCS-FI-6248UP
  I need to know if those product are vulnerable for ShellShock 
  If they are vulnerable witch patch I need to install ? 

  Just an FYI a fix has been released (2.2(3b))......
  Fixes will be available in the following upcoming releases:
  3.0(1d) ==> ETA week of 10/13
  2.2(3b) ==> released 10/9
  2.2(2e) ==> ETA week of 10/13
  2.2(1f) ==> ETA week of 10/13
  2.1(3f) ==> ETA will be announced shortly
  2.0(5g) ==> ETA will be announced shortly
  All six CVEs, CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 CVE-2014-6278, and CVE-2014-6277 have been fixed.
  The 2.2(3b) release was published to CCO on 10/9. The other 2.2 release trains will be updated in the week of 10/13. The release schedule for the 2.0 and 2.1 release trains will be announced soon - release candidates are currently still in QA.
  https://tools.cisco.com/bugsearch/bug/CSCur01379

• CSCur00511 Shellshock Vulnerable ACS Versions

  What is the status of the 4.x ACS versions?  Only a few 5.x versions were listed as vulnerable in the bug report.  But the bash vulnerability seems to have been with us for a very long time.  If 4.x isn't vulnerable, was this because ACS didn't use a version of unix with bash back then?  Or is 4.x just unevaluated because it's beyond end of support?
   

  Hello,
  I have tested the vulnerability and confirmed that it affects ACS 5.2.
  ACS 5.3 probably runs the same BASH version, so the it is most likely vulnerable.
  At this point, I would recommend to upgrade to any of the following versions:
  ACS 5.4 patch 7
  ACS 5.5 patch 6
  ACS 5.6 patch 1
  HTH.

• Community Discussion on CSCuq98748- Bash Vulnerability

  Hi, Is Nexus 7K and 5K are open to Shellshock vulnerable?
  can you please confirm

     Yes they are vulnerable if you are using a certain version of code . The 5k's have 3 different versions that are vulnerABLE and the 7k's have one version  6.2.6 which is vulnerable.
  5K info
  Last Modified:
  Sep 29,2014
  Status:
  Open
  Severity:
  2 Severe
  Product:
  Cisco Nexus 5000 Series Switches
  Support Cases:
  0
  Known Affected Releases:
  (3)
  5.2(1)N1(8a)
  6.0(2)N2(5)
  7.0(3)N1(0.125)
  Known Fixed Releases:
  (0)
  Download software for  Cisco Nexus 5000 Series Switches
  Support Cases:
  (0)
  Support case links are not customer visible
  -->
  Related Bugs
  Bug(s)
  -->
  Community Discussion on CSCur05017 - Cisco Support Community

• Shellshock bug

  Is no one curious about whether Apple is working on this?

  If the issue concerns an older vintage obsolete Mac OS X and a former security
  issue, bypassed through upgrade and updates over many years, I'd guess No.
  However there is a new issue that re-uses an old name bug... of different nature.
  I see this page, but wonder about its validity: (consumes resources to view)
  http://www.imore.com/about-bash-shellshock-vulnerability-and-what-it-means-os-x
  A new installation on a wiped hard drive would be a way to remove it from Mac.
  Please define the system and hardware this issue is confined to; if you have it.
  •What does the Shellshock bug affect?
  http://www.thesafemac.com/?s=shellshock&submit=Search
  http://www.thesafemac.com/what-does-the-shellshock-bug-affect/#more-1688
  While I have Leopard on a few machines, I try to not install software from odd
  places that are suspect. See if TheSafeMac has anything about it; email the
  author of the site and ask him. http://www.thesafemac.com/tech-guides/
  Good luck & happy computing!
  edited

• Shell shock - Bash still is not updated

  I purchased my Mac earlier this year (2014.7) and it was originally installed with OS X 10.9
  I have currently formatted my Mac 5 times since I have purchased it due to issues with Bash, Java, Safari, the App store.
  I believe I was victim to Shell shock as my Bash responds to the first vulnerability (First Update dated Sept 26, 2014, Bash version 3.2.53)
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  with a vulnerable output.
  this is a test
  I have downloaded the BashUpdateMavericks.pkg which NIST points to and it comes up with an error. I have tried installing the parch on both Mavericks and Yosemite and neither result in a successful instalment.
  Can anyone give any insight on what I should do to patch up bash?

  Apple's article about the BASH issue is here About OS X bash Update 1.0 - Apple Support
  While this vulnerability is generically described as the shellshock aka. BASH issue, there actually several permutations of it. Some fixes only addressed some of those variations. As you will see Apple's article says they address two listed vulnerabilities but actually (as I read it) includes three different fixes.
  The following article https://shellshocker.net seems to list six variations plus the original issue including the two Apple list.
  On that basis one could argue Apple's fix does not address all the possible variations. However based on Apple's fix the result "this is a test" indicates the patch is correctly installed. Based on the shellshocker test all seven out of seven variations are fixed by Apple if you have the Apple patch installed.
  This is the result I get on Mavericks 10.9.5 with Apple's patch applied.
  CVE-2014-6271 (original shellshock): not vulnerable
  CVE-2014-6277 (segfault): not vulnerable
  CVE-2014-6278 (Florian's patch): not vulnerable
  CVE-2014-7169 (taviso bug): not vulnerable
  CVE-2014-7186 (redir_stack bug): not vulnerable
  CVE-2014-7187 (nested loops off by one): not vulnerable
  CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
  With an unpatched copy of Mavericks I get the first four as vulnerable and the last three as not vulnerable suggesting Apple indeed only had to add three fixes. (The last six issues are variations of the first one.)
  CVE-2014-6271 (original shellshock): VULNERABLE
  bash: line 17: 54477 Segmentation fault: 11  shellshocker="() { x() { _;}; x() { _;} <<a; }" bash -c date 2> /dev/null
  CVE-2014-6277 (segfault): VULNERABLE
  CVE-2014-6278 (Florian's patch): VULNERABLE
  CVE-2014-7169 (taviso bug): VULNERABLE
  CVE-2014-7186 (redir_stack bug): not vulnerable
  CVE-2014-7187 (nested loops off by one): not vulnerable
  CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

• IMac is vulnerable to Shellshock

  Hi,
  My iMac has is vulnerable to Shellshock.  See test and results below.  Please advise.
  Test:
  Is my machine vulnerable?
  Shellshocker.net provides two tests, one for each vulnerability, (CVE-2014-6271) and (CVE-2014-7169). On a Mac, open the Terminal program and type:
  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  If you see "vulnerable" echoed in the response, your version of Bash is affected. Then type:
  env X='() { (a)=>\' bash -c "echo date"; cat echo
  If you see today's date (alongside any errors), your version of Bash is vulnerable.
  Results:
  Last login: Sun Sep 28 11:30:39 on console
  Daryls-iMac-2:~ darylkennedy$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  vulnerable
  this is a test
  Daryls-iMac-2:~ darylkennedy$
  Daryls-iMac-2:~ darylkennedy$ env X='() { (a)=>\' bash -c "echo date"; cat echo
  bash: X: line 1: syntax error near unexpected token `='
  bash: X: line 1: `'
  bash: error importing function definition for `X'
  Sun Sep 28 11:36:27 EDT 2014
  Daryls-iMac-2:~ darylkennedy$

  d-nc wrote:
  Hi,
  My iMac has is vulnerable to Shellshock.  See test and results below.  Please advise.
  Don't run a web server and don't allow remote access. But, I imagine that is true already.
  Unless you are using an Airport Extreme, your router is likely the biggest vulnerability. The others are generally configured through a web server.
  See the other posts Esquared linked.

• Is ESX v3.0 / 3.5 vulnerable to Shellshock?

  Greetings,
  Is ESX v3.0 / 3.5 vulnerable to Shellshock? - I have searched all over and cannot find this answer. I tried finding out the linux shell version as well, but did not locate that. I thought Google would answer this in 2 minutes
  Any help is appreciated.
  Thanks,
  Rick

  It should be as ESX 4 is vulnerable as well, with the difference being there is a patch available for ESX 4. I think the recommendation would be to upgrade to atleast ver 4 and apply the patch.
  Security advisory located at
  VMSA-2014-0010.4 | United States
  Regards
  Girish

• ShellShock / Bash bug / iOS 7, 8 vulnerable or not?

  Hi,
  does anyone has a confirmation that iOS is also vulnerable to current ShellShock (problem with Bash)?
  Has anyone tested this on your iDevices?
  Thx.

  iOS doesn't appear to use bash, so you wouldn't be vulnerable.
  If you use software that is visible to the outside world and uses bash, then you would be at risk. Since most Mac users don't have a lot in the way of external facing software, (software that other users access and use resources on your local machine or server), individual users don't have a lot of risk. But if an attacker were to somehow find your machine's name, bash could be exploited, but since iOS doesn't use bash iPhone users don't have anything to worry about.

• Both my MacMini and MacBook Air appear to be vulnerable to the shellshock bug. When will a patch be released?

  Both my MacMini and Macbook Air appear to be vulnerable to the Shellshock bug. When will a patch be released?

  Read http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-in-os-x-1 0-9-10-8-and-10-7/

• Is the IX2 with firmware 3.2.X vulnerable to the Shellshock bug?

  Is the IX2 with firmware 3.2.X vulnerable to the Shellshock bug?

  An update was just released addressing this issue.
  LenovoEMC has released an updated version of LifeLine that incorporates fixes for the Shellshock issues. These fixes improve environment variable parsing in Bash and reset the Bash parser state. This update also includes other security updates and fixes.
  Linux Shellshock vulnerability

• ISE 1.2.0.899 vulnerable to Shellshock?

  Hi, I just saw that version 1.2(0.747) is vulnerable. How about 1.2.0.899?
  https://tools.cisco.com/bugsearch/bug/CSCur00532
  KR

  I've asked the PSIRT Team and they confirmed that ISE is vulnerable.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  (Prime Infrastructure is vulnerable as well but is not yet mentioned in the advisory.  It will be added in an upcoming revision.)

• Is the RV180 vulnerable to the BashBug? (Shellshock)

  Simple question.
  Is the RV180 vulnerable to the BashBug?
  Everything I have seen on the Cisco site is about - B i G - stuff, nothing about the small (SOHO) office equipment and such.
  I have ours set up as "Stealthy" or as invisible as I know how to so it shouldn't show up, but I don't know if Bash defeats that...
  Just want to know before someone asks me....

  I too am concern since I am behind a RVS4000.
  But found this posting from the Linksys Support Group;
  BusyBox shell is what is used in Linksys routers and that shell is not effected.
  Hope this is true

• HP hardware vulnerable to ShellShock bug?

  Hi all,
  I have been asked to check whether our HP hardware is affected in any way by the recent Bash vulnerability.
  We use the following HP hardware:
  E-MSM460 Access Point (ww)(J9591a) - Wireless Access Point
  ProCurve 2520G-24-POE (J9299A) - POE Switch
  ProCurve Switch 2510G-24 (J9279A) - Switch
  Can anyone advise whether these devices use any type of Linux or OSX based software?
  Many thanks,
  James.

  Hi,
  Please post your question on Business Support forum. HP rep at your country should tell you. I know we have many HP products in our halls (ie computer rooms) but I only talk with other vendors, not HP.
  Regards.
  BH
  **Click the KUDOS thumb up on the left to say 'Thanks'**
  Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

• Media Hub vulnerability to Bash bug (Shellshocked)

  For those of us who haven't bother to root their Cisco/Linksys NMHxxx Media Hubs, is there any cause for concern regarding the recently announced Bourne Again Shell (Bash) bug / Shell Shocked vulnerability?
  Thanks in advance to anyone from the community who can provide insight.

  Typically embedded systems use BusyBox shell which isn't effected.
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support