ShellShock – Welche unserer Hersteller sind betroffen?

Am 24. September ist eine neue Schwachstelle von bash bekannt geworden. “Neu” ist dabei nur bedingt richtig – diese Schwachstelle existiert seit Jahrzehnten… Hier ein paar Links mit weiteren Infos.

• http://seclists.org/oss-sec/2014/q3/650
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
• http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
• https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

Welche unserer Hersteller sind von dieser Schwachstelle betroffen.

PaloAltoNetworks:

Products Affected:

• All versions of PAN-OS / Panorama – but only with ssh authenticated users

Available Updates:

• Normally scheduled PAN-OS maintenance release updates will provide a fix for the vulnerability

Workarounds and Mitigations:

• This attack is mitigated by the fact that successful attack can only be performed by authenticated ssh PAN-OS users. As an additional mitigation, administrators can disable SSH access on any/all management interfaces configured on the device.

Advisory:

•  https://securityadvisories.paloaltonetworks.com/

IPS Updates:

• Emergency Emergency Content Release 458 for CVE-2014-6271 Update and CVE-2014-7169 were already released

Fortinet

Products Affected:

• FortiGate
  Fortinet will issue an official statement on that, but according to FortiGuard’s early testing, we may confidently say that FortiGates are not vulnerable.
• FortiAnalyzer (versions 5.0.X and 5.2.0) – authentication required to exploit
  This vulnerability will be fixed in an upcoming patch of FortiAnalyzer.
• FortiAuthenticator – authentication required to exploit
  This vulnerability will be fixed in an upcoming patch of FortiAuthenticator.
• FortiDB
  This vulnerability will be fixed in an upcoming patch of FortiDB.
• FortiManager (versions 4.3, 5.0.X and 5.2.0) – authentication required to exploit
  This vulnerability will be fixed in an upcoming patch of FortiManager.
• AscenLink v7.X
  This vulnerability will be fixed in an upcoming patch of AscenLink.

Advisory:

• http://www.fortiguard.com/advisory/FG-IR-14-030/

Workarounds:

• FortiGate customers may apply the IPS signature “Bash.Function.Definitions.Remote.Code.Execution” to protect systems accessible through a FortiGate. This IPS signature is available in the 5.552 IPS update, which will be deployed via FDS on the afternoon of September 25th.

Watchguard:

Products Affected:

• All Firebox and XTM models are not affected. The Fireware operating system is hardened to remove any unnecessary features, and does not include a Bash shell. WatchGuard Wireless Access Points, SSL 100 and 560, XCS, and  QMS also do not include or install Bash. They are not vulnerable.The Linux distribution included in WatchGuard Dimension includes bash, but the exposure to this vulnerability is low since Dimension does not use AcceptEnv or CGI. Nevertheless Dimension automatically downloads security updates for its Linux components. Just make sure that you don’t have any upstream firewall that blocks access to security.ubuntu.com and archive.ubuntu.com.

Available Updates:

• Only for Dimension Users: Download and deploy patches from your vendors immediately.

Advisory:

• http://watchguardsecuritycenter.com/2014/09/25/bash-or-shellshock-vulnerability/

IPS Updates:

• The WatchGuard IPS signature team has developed and released a signature to identify exploits of the Bash vulnerability. It is included in signature set 4.454. If your Firebox and XTM appliances are configured to receive automatic updates, you will get the new signature.

Seppmail:

Products Affected:

• SEPPmail is not affected by the so-called “ShellShock vulnerability” (CVE-2014-7169, CVE-2014-6271).

Corero:

Products Affected:

• Shellshock Bash Vulnerability – No Impact to Corero Products

Advisory:

• http://www.corero.com/company/newsroom/press-releases/shellshock-bash-vulnerability-no-impact-to-corero-products/?jujrtyghfud221091a2053933a602a6947a5517

A10 Networks:

Products Affected:

• A10 Thunder, AX, ID, and EX Series products

The  A10 Thunder, AX, ID, and EX Series products include the GNU Bash shell and are therefore vulnerable to the Shellshock Bash bug. A10 Networks has not been able to replicate this condition remotely with A10 Thunder, AX, ID, or EX Series products. However, we are still researching several corner cases and we will update this advisory as we have new information. However, local exploitation is possible and we will be, therefore, providing patches to address this issue.

Advisory:

• https://www.a10networks.com/support-axseries/A10-Shellshock_Bash_CVE-2014-6271.pdf
• http://www.a10networks.com/vadc/index.php/shellshock-bug-when-a-perfect-10-0-score-is-not-so-perfect-and-how-you-can-protect-your-infrastructure/