Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

New BASH ShellShock Security Bug - bigger than Heartbleed!

Woke up this morning to this: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems.

You can check if you're vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

Scanned systems internally and found the following were affected:

  • Cisco VCS devices (x7 and x8)
  • Cisco MXE 3500
  • Cisco DMM and SNS (assuming since running Red Hat Enterprise but unable to verify)
  • Jabber Guest
  • TCS Endpoints (6 or below have been verified, unable to verify 7 but assume vulnerable)
  • Cisco Conductor

 

Cisco has also just posted a security advisory:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=4689&signatureSubId=0&softwareVersion=6.0&releaseVersion=S824

 

11 REPLIES
Community Member

Cisco has officially issued

Cisco has officially issued an advisory update:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

 

Vulnerable products include:

  • Cisco Telepresence endpoints (C series, EX series, MX series, MXG2 series, SX series) and the 10" touch panel [CSCur02591]

 

Voice and Unified Communications Devices

  • Cisco Unified Communications Manager (UCM) 10.0 [CSCur00930]
  • Cisco Unified Communications Manager Session Management Edition (SME) [CSCur00930]

 

Video, Streaming, TelePresence, and Transcoding Devices

  • Cisco TelePresence Video Communication Server (VCS/Expressway) [CSCur01461]
  • Cisco TelePresence Conductor [CSCur02103]

 

Still not seeing the DMS products including MXE, DMM, and SNS.

Community Member

Outstanding info, thanks for

Outstanding info, thanks for your hard work!

I'm still pretty green, can you help me out - we have some older Tandberg devices (mostly MXP endpoints and an MPS 800), and the CISCO update gives no information one way or another. Are you aware if they are affected? If not, any idea how I can determine this on my systems?

 

Thanks!

Don't know about the MPS800,

Don't know about the MPS800, however, all products known to be affected by this will be listed by Cisco, they also normally list all products confirmed not to be vulnerable, i.e. see the security advise re heartbleed.

As far as the MXPs go, they should be not affected as they run Ecos - but check the security bulletins as they get updated as Cisco will release software patches for the affected systems.

/jens

Please rate replies and mark question(s) as "answered: if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
Community Member

Yup. MXP based Codecs are

Yup. MXP based Codecs are vulnerable.

 

 

 

Video, Streaming, TelePresence, and Transcoding Devices

  • Cisco DCM Series 9900-Digital Content Manager [CSCur02624]
  • Cisco Edge 300 Digital Media Player [CSCur02761]
  • Cisco Edge 340 Digital Media Player [CSCur02751]
  • Cisco Show and Share [CSCur03539]
  • Cisco TelePresence Conductor [CSCur02103]
  • Cisco TelePresence Content Server (TCS) [CSCur05150]
  • Cisco TelePresence IP Gateway Series [CSCur04984]
  • Cisco TelePresence IP VCR Series [CSCur04993]
  • Cisco TelePresence ISDN GW 3241 [CSCur05010]
  • Cisco TelePresence ISDN GW MSE 8321 [CSCur05010]
  • Cisco TelePresence ISDN Link [CSCur05025]
  • Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300) [CSCur05050]
  • Cisco TelePresence MXP Software [CSCur05095]
  • Cisco TelePresence Management Suite Extension for IBM [CSCur05217]
  • Cisco TelePresence Manager (CTSMan) [CSCur05104]
  • Cisco TelePresence Recording Server (CTRS) [CSCur05038]
  • Cisco TelePresence Serial Gateway Series [CSCur05110]
  • Cisco TelePresence Server 8710, 7010 [CSCur05172]
  • Cisco TelePresence Server on Multiparty Media 310, 320 [CSCur05172]
  • Cisco TelePresence Server on Virtual Machine [CSCur05172]
  • Cisco TelePresence Supervisor MSE 8050 [CSCur05073]
  • Cisco TelePresence TE Software (for E20 - EoL) [CSCur05162]
  • Cisco TelePresence Video Communication Server (VCS/Expressway) [CSCur01461]
  • Cisco TelePresence endpoints (C series, EX series, MX series, MXG2 series, SX series) and the 10" touch panel [CSCur02591]
  • Cisco Video Distribution Suite for Internet Streaming VDS-IS [CSCur05320]
  • Tandberg Codian ISDN GW 3210/3220/3240 [CSCur05010]
  • Tandberg Codian MSE 8320 model [CSCur05010]

CSCur05095 for the MXP codecs

CSCur05095 for the MXP codecs is not publicly viewable yet.

Fix is available for the VCS:

Fix is available for the VCS: x7.2.4, x8.1.2, x8.2.2 - all available for download from Cisco:

https://tools.cisco.com/bugsearch/bug/CSCur01461

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
VIP Purple

That might be an old list you

That might be an old list you're posting - the latest update of the Secuirty Advisory confirms that the 'Cisco TelePresence MXP Software" is Not Vulnerable.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
Community Member

That's a good thing, because

That's a good thing, because I seriously doubt CISCO will patch older MXP systems for Shellshock. 

VIP Super Bronze

You'd have to check the

You'd have to check the various end-of-sale/life announcements for the MXP systems you have.  Look for the "End of Vulnerability/Security Support:
HW" section, it will list the last date Cisco will release patches for vulnerabilities such as this.

VIP Purple

The older MXP devices don't

The older MXP devices don't run a linux back end like the newer devices, they're based on eCos, so won't experience a lot of the same issues.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
Community Member

Regarding [CSCur02591] I

Regarding [CSCur02591] I found interresting information in the licensing guides. bash version 4.1.7 was implemented in TC5 and bash version 4.2 in TC6.x and TC7.x. So I think it is necessary to update the affected TC Software Version. All TC Version seems to be  affected.

13225
Views
9
Helpful
11
Replies
CreatePlease to create content