Shellshock Bash Vulnerability- No Impact to Corero Products
In the light of the recently discovered Linux, BSD, and UNIX related security flaw known as ‘Shellshock’ (GNU Bourne Again Shell (Bash)vulnerability CVE-2014-7169 & CVE-2014-6271) Corero Network Security offers the following advisory:
The vulnerability known as ‘Shellshock’ has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could execute arbitrary commands via specially crafted environment variables that are used by the operating system. Immediately after learning of the Shellshock vulnerability, Corero conducted a review of its actively supported security products. Our current assessment of these products shows there is no risk of remote code execution even though some products include bash. As a precaution, bash in these products will be upgraded.
Corero Products with bash, but not affected by remote exploitation risks:
- SmartWall Network Threat Defense System appliances
- SmartWall Network Bypass appliances
- SmartWall Network Forensics appliances
- Corero Management Server
Corero Products not affected:
- DDoS Defense System 5500 series appliances
- IPS 5500 series appliances
- IDSB 3500 and 4500 series appliances
- IPS Controller Management software
- SecureWatch Analytics software
At this time, we have completed our systematic review and have determined that Corero security products deployed as intended do not exhibit the Shellshock vulnerability. We continue to review our security posture in regards to this recent vulnerability and will provide updates as necessary.
Additionally, Corero has issued the following advisory for its customers on how they can protect non-Corero products in their infrastructure against remote exploitation of Shellshock. Corero DDS and IPS 5500 series customers will need to apply protection pack 2014-09-26-01 for protecting against Shellshock exploits targeting their environment.
Please view the latest Corero Advisory for Vulnerability Identifier CVE-2014-6271 at https://www.corero.com/support/security-advisories.html
If you have any questions or concerns please contact Corero Customer Services: 978.212.1500 -> Option 2 or email: email@example.com.