New BASH ShellShock Security Bug - bigger than Heartbleed!

Unanswered Question
Sep 25th, 2014
User Badges:

Woke up this morning to this: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems.

You can check if you're vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

Scanned systems internally and found the following were affected:

  • Cisco VCS devices (x7 and x8)
  • Cisco MXE 3500
  • Cisco DMM and SNS (assuming since running Red Hat Enterprise but unable to verify)
  • Jabber Guest
  • TCS Endpoints (6 or below have been verified, unable to verify 7 but assume vulnerable)
  • Cisco Conductor

 

Cisco has also just posted a security advisory:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=4689&signatureSubId=0&softwareVersion=6.0&releaseVersion=S824

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Richard Mitchell Fri, 09/26/2014 - 08:10
User Badges:

Cisco has officially issued an advisory update:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

 

Vulnerable products include:

  • Cisco Telepresence endpoints (C series, EX series, MX series, MXG2 series, SX series) and the 10" touch panel [CSCur02591]

 

Voice and Unified Communications Devices

  • Cisco Unified Communications Manager (UCM) 10.0 [CSCur00930]
  • Cisco Unified Communications Manager Session Management Edition (SME) [CSCur00930]

 

Video, Streaming, TelePresence, and Transcoding Devices

  • Cisco TelePresence Video Communication Server (VCS/Expressway) [CSCur01461]
  • Cisco TelePresence Conductor [CSCur02103]

 

Still not seeing the DMS products including MXE, DMM, and SNS.

RIA_av2012 Fri, 09/26/2014 - 12:32
User Badges:

Outstanding info, thanks for your hard work!

I'm still pretty green, can you help me out - we have some older Tandberg devices (mostly MXP endpoints and an MPS 800), and the CISCO update gives no information one way or another. Are you aware if they are affected? If not, any idea how I can determine this on my systems?

 

Thanks!

Jens Didriksen Fri, 09/26/2014 - 17:28
User Badges:
  • Blue, 1500 points or more

Don't know about the MPS800, however, all products known to be affected by this will be listed by Cisco, they also normally list all products confirmed not to be vulnerable, i.e. see the security advise re heartbleed.

As far as the MXPs go, they should be not affected as they run Ecos - but check the security bulletins as they get updated as Cisco will release software patches for the affected systems.

/jens

Please rate replies and mark question(s) as "answered: if applicable.

Douglas Baggett Tue, 09/30/2014 - 12:10
User Badges:

Yup. MXP based Codecs are vulnerable.

 

 

 

Video, Streaming, TelePresence, and Transcoding Devices

  • Cisco DCM Series 9900-Digital Content Manager [CSCur02624]
  • Cisco Edge 300 Digital Media Player [CSCur02761]
  • Cisco Edge 340 Digital Media Player [CSCur02751]
  • Cisco Show and Share [CSCur03539]
  • Cisco TelePresence Conductor [CSCur02103]
  • Cisco TelePresence Content Server (TCS) [CSCur05150]
  • Cisco TelePresence IP Gateway Series [CSCur04984]
  • Cisco TelePresence IP VCR Series [CSCur04993]
  • Cisco TelePresence ISDN GW 3241 [CSCur05010]
  • Cisco TelePresence ISDN GW MSE 8321 [CSCur05010]
  • Cisco TelePresence ISDN Link [CSCur05025]
  • Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300) [CSCur05050]
  • Cisco TelePresence MXP Software [CSCur05095]
  • Cisco TelePresence Management Suite Extension for IBM [CSCur05217]
  • Cisco TelePresence Manager (CTSMan) [CSCur05104]
  • Cisco TelePresence Recording Server (CTRS) [CSCur05038]
  • Cisco TelePresence Serial Gateway Series [CSCur05110]
  • Cisco TelePresence Server 8710, 7010 [CSCur05172]
  • Cisco TelePresence Server on Multiparty Media 310, 320 [CSCur05172]
  • Cisco TelePresence Server on Virtual Machine [CSCur05172]
  • Cisco TelePresence Supervisor MSE 8050 [CSCur05073]
  • Cisco TelePresence TE Software (for E20 - EoL) [CSCur05162]
  • Cisco TelePresence Video Communication Server (VCS/Expressway) [CSCur01461]
  • Cisco TelePresence endpoints (C series, EX series, MX series, MXG2 series, SX series) and the 10" touch panel [CSCur02591]
  • Cisco Video Distribution Suite for Internet Streaming VDS-IS [CSCur05320]
  • Tandberg Codian ISDN GW 3210/3220/3240 [CSCur05010]
  • Tandberg Codian MSE 8320 model [CSCur05010]
Wayne DeNardi Tue, 09/30/2014 - 18:04
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 TelePresence

That might be an old list you're posting - the latest update of the Secuirty Advisory confirms that the 'Cisco TelePresence MXP Software" is Not Vulnerable.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Douglas Baggett Tue, 10/28/2014 - 10:43
User Badges:

That's a good thing, because I seriously doubt CISCO will patch older MXP systems for Shellshock. 

Patrick Sparkman Tue, 10/28/2014 - 12:06
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 TelePresence

You'd have to check the various end-of-sale/life announcements for the MXP systems you have.  Look for the "End of Vulnerability/Security Support:
HW" section, it will list the last date Cisco will release patches for vulnerabilities such as this.

Wayne DeNardi Tue, 10/28/2014 - 17:19
User Badges:
  • Green, 3000 points or more
  • Cisco Designated VIP,

    2017 TelePresence

The older MXP devices don't run a linux back end like the newer devices, they're based on eCos, so won't experience a lot of the same issues.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

pbo813210 Sun, 09/28/2014 - 06:27
User Badges:

Regarding [CSCur02591] I found interresting information in the licensing guides. bash version 4.1.7 was implemented in TC5 and bash version 4.2 in TC6.x and TC7.x. So I think it is necessary to update the affected TC Software Version. All TC Version seems to be  affected.

Actions

This Discussion