Cisco has officially issued

Richard Mitchell · ‎09-25-2014

Woke up this morning to this: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems.

You can check if you're vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter.

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

Scanned systems internally and found the following were affected:

Cisco VCS devices (x7 and x8)
Cisco MXE 3500
Cisco DMM and SNS (assuming since running Red Hat Enterprise but unable to verify)
Jabber Guest
TCS Endpoints (6 or below have been verified, unable to verify 7 but assume vulnerable)
Cisco Conductor

Cisco has also just posted a security advisory:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=4689&signatureSubId=0&softwareVersion=6.0&releaseVersion=S824

Richard Mitchell · ‎09-26-2014

Cisco has officially issued an advisory update:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

Vulnerable products include:

Cisco Telepresence endpoints (C series, EX series, MX series, MXG2 series, SX series) and the 10" touch panel [CSCur02591]

Voice and Unified Communications Devices

Cisco Unified Communications Manager (UCM) 10.0 [CSCur00930]
Cisco Unified Communications Manager Session Management Edition (SME) [CSCur00930]

Video, Streaming, TelePresence, and Transcoding Devices

New BASH ShellShock Security Bug - bigger than Heartbleed!