ā09-25-2014 07:57 AM - edited ā03-18-2019 03:27 AM
Woke up this morning to this: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems.
You can check if you're vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter.
env X="() { :;} ; echo busted" /bin/sh -c "echo completed" env X="() { :;} ; echo busted" `which bash` -c "echo completed"
Scanned systems internally and found the following were affected:
Cisco has also just posted a security advisory:
ā09-26-2014 08:10 AM
Cisco has officially issued an advisory update:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Vulnerable products include:
Voice and Unified Communications Devices
Video, Streaming, TelePresence, and Transcoding Devices
Still not seeing the DMS products including MXE, DMM, and SNS.
ā09-26-2014 12:32 PM
Outstanding info, thanks for your hard work!
I'm still pretty green, can you help me out - we have some older Tandberg devices (mostly MXP endpoints and an MPS 800), and the CISCO update gives no information one way or another. Are you aware if they are affected? If not, any idea how I can determine this on my systems?
Thanks!
ā09-26-2014 05:28 PM
Don't know about the MPS800, however, all products known to be affected by this will be listed by Cisco, they also normally list all products confirmed not to be vulnerable, i.e. see the security advise re heartbleed.
As far as the MXPs go, they should be not affected as they run Ecos - but check the security bulletins as they get updated as Cisco will release software patches for the affected systems.
/jens
Please rate replies and mark question(s) as "answered: if applicable.
ā09-30-2014 12:10 PM
Yup. MXP based Codecs are vulnerable.
Video, Streaming, TelePresence, and Transcoding Devices
ā09-30-2014 01:29 PM
CSCur05095 for the MXP codecs is not publicly viewable yet.
ā10-05-2014 08:17 PM
Fix is available for the VCS: x7.2.4, x8.1.2, x8.2.2 - all available for download from Cisco:
https://tools.cisco.com/bugsearch/bug/CSCur01461
/jens
Please rate replies and mark question(s) as "answered" if applicable.
ā09-30-2014 06:04 PM
That might be an old list you're posting - the latest update of the Secuirty Advisory confirms that the 'Cisco TelePresence MXP Software" is Not Vulnerable.
Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
ā10-28-2014 10:43 AM
That's a good thing, because I seriously doubt CISCO will patch older MXP systems for Shellshock.
ā10-28-2014 12:06 PM
You'd have to check the various end-of-sale/life announcements for the MXP systems you have. Look for the "End of Vulnerability/Security Support:
HW" section, it will list the last date Cisco will release patches for vulnerabilities such as this.
ā10-28-2014 05:19 PM
The older MXP devices don't run a linux back end like the newer devices, they're based on eCos, so won't experience a lot of the same issues.
Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
ā09-28-2014 06:27 AM
Regarding [CSCur02591] I found interresting information in the licensing guides. bash version 4.1.7 was implemented in TC5 and bash version 4.2 in TC6.x and TC7.x. So I think it is necessary to update the affected TC Software Version. All TC Version seems to be affected.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: