09-25-2014 07:57 AM - edited 03-18-2019 03:27 AM
Woke up this morning to this: http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems.
You can check if you're vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter.
env X="() { :;} ; echo busted" /bin/sh -c "echo completed" env X="() { :;} ; echo busted" `which bash` -c "echo completed"
Scanned systems internally and found the following were affected:
Cisco has also just posted a security advisory:
09-26-2014 08:10 AM
Cisco has officially issued an advisory update:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Vulnerable products include:
Voice and Unified Communications Devices
Video, Streaming, TelePresence, and Transcoding Devices
Still not seeing the DMS products including MXE, DMM, and SNS.
09-26-2014 12:32 PM
Outstanding info, thanks for your hard work!
I'm still pretty green, can you help me out - we have some older Tandberg devices (mostly MXP endpoints and an MPS 800), and the CISCO update gives no information one way or another. Are you aware if they are affected? If not, any idea how I can determine this on my systems?
Thanks!
09-26-2014 05:28 PM
Don't know about the MPS800, however, all products known to be affected by this will be listed by Cisco, they also normally list all products confirmed not to be vulnerable, i.e. see the security advise re heartbleed.
As far as the MXPs go, they should be not affected as they run Ecos - but check the security bulletins as they get updated as Cisco will release software patches for the affected systems.
/jens
Please rate replies and mark question(s) as "answered: if applicable.
09-30-2014 12:10 PM
Yup. MXP based Codecs are vulnerable.
Video, Streaming, TelePresence, and Transcoding Devices
09-30-2014 01:29 PM
CSCur05095 for the MXP codecs is not publicly viewable yet.
10-05-2014 08:17 PM
Fix is available for the VCS: x7.2.4, x8.1.2, x8.2.2 - all available for download from Cisco:
https://tools.cisco.com/bugsearch/bug/CSCur01461
/jens
Please rate replies and mark question(s) as "answered" if applicable.
09-30-2014 06:04 PM
That might be an old list you're posting - the latest update of the Secuirty Advisory confirms that the 'Cisco TelePresence MXP Software" is Not Vulnerable.
Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
Please remember to mark helpful responses and to set your question as answered if appropriate.
10-28-2014 10:43 AM
That's a good thing, because I seriously doubt CISCO will patch older MXP systems for Shellshock.
10-28-2014 12:06 PM
You'd have to check the various end-of-sale/life announcements for the MXP systems you have. Look for the "End of Vulnerability/Security Support:
HW" section, it will list the last date Cisco will release patches for vulnerabilities such as this.
10-28-2014 05:19 PM
The older MXP devices don't run a linux back end like the newer devices, they're based on eCos, so won't experience a lot of the same issues.
Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.
Please remember to mark helpful responses and to set your question as answered if appropriate.
09-28-2014 06:27 AM
Regarding [CSCur02591] I found interresting information in the licensing guides. bash version 4.1.7 was implemented in TC5 and bash version 4.2 in TC6.x and TC7.x. So I think it is necessary to update the affected TC Software Version. All TC Version seems to be affected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide