Outstanding info, thanks for your hard work!

I'm still pretty green, can you help me out - we have some older Tandberg devices (mostly MXP endpoints and an MPS 800), and the CISCO update gives no information one way or another. Are you aware if they are affected? If not, any idea how I can determine this on my systems?

Thanks!

Don't know about the MPS800, however, all products known to be affected by this will be listed by Cisco, they also normally list all products confirmed not to be vulnerable, i.e. see the security advise re heartbleed.

As far as the MXPs go, they should be not affected as they run Ecos - but check the security bulletins as they get updated as Cisco will release software patches for the affected systems.

/jens

Please rate replies and mark question(s) as "answered: if applicable.

Yup. MXP based Codecs are vulnerable.

Video, Streaming, TelePresence, and Transcoding Devices

• Cisco DCM Series 9900-Digital Content Manager [CSCur02624]
• Cisco Edge 300 Digital Media Player [CSCur02761]
• Cisco Edge 340 Digital Media Player [CSCur02751]
• Cisco Show and Share [CSCur03539]
• Cisco TelePresence Conductor [CSCur02103]
• Cisco TelePresence Content Server (TCS) [CSCur05150]
• Cisco TelePresence IP Gateway Series [CSCur04984]
• Cisco TelePresence IP VCR Series [CSCur04993]
• Cisco TelePresence ISDN GW 3241 [CSCur05010]
• Cisco TelePresence ISDN GW MSE 8321 [CSCur05010]
• Cisco TelePresence ISDN Link [CSCur05025]
• Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300) [CSCur05050]
• Cisco TelePresence MXP Software [CSCur05095]
• Cisco TelePresence Management Suite Extension for IBM [CSCur05217]
• Cisco TelePresence Manager (CTSMan) [CSCur05104]
• Cisco TelePresence Recording Server (CTRS) [CSCur05038]
• Cisco TelePresence Serial Gateway Series [CSCur05110]
• Cisco TelePresence Server 8710, 7010 [CSCur05172]
• Cisco TelePresence Server on Multiparty Media 310, 320 [CSCur05172]
• Cisco TelePresence Server on Virtual Machine [CSCur05172]
• Cisco TelePresence Supervisor MSE 8050 [CSCur05073]
• Cisco TelePresence TE Software (for E20 - EoL) [CSCur05162]
• Cisco TelePresence Video Communication Server (VCS/Expressway) [CSCur01461]
• Cisco TelePresence endpoints (C series, EX series, MX series, MXG2 series, SX series) and the 10" touch panel [CSCur02591]
• Cisco Video Distribution Suite for Internet Streaming VDS-IS [CSCur05320]
• Tandberg Codian ISDN GW 3210/3220/3240 [CSCur05010]
• Tandberg Codian MSE 8320 model [CSCur05010]

CSCur05095 for the MXP codecs is not publicly viewable yet.

Fix is available for the VCS: x7.2.4, x8.1.2, x8.2.2 - all available for download from Cisco:

https://tools.cisco.com/bugsearch/bug/CSCur01461

/jens

Please rate replies and mark question(s) as "answered" if applicable.

That might be an old list you're posting - the latest update of the Secuirty Advisory confirms that the 'Cisco TelePresence MXP Software" is Not Vulnerable.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

That's a good thing, because I seriously doubt CISCO will patch older MXP systems for Shellshock. 

You'd have to check the various end-of-sale/life announcements for the MXP systems you have.  Look for the "End of Vulnerability/Security Support:
HW" section, it will list the last date Cisco will release patches for vulnerabilities such as this.

The older MXP devices don't run a linux back end like the newer devices, they're based on eCos, so won't experience a lot of the same issues.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Regarding [CSCur02591] I found interresting information in the licensing guides. bash version 4.1.7 was implemented in TC5 and bash version 4.2 in TC6.x and TC7.x. So I think it is necessary to update the affected TC Software Version. All TC Version seems to be  affected.