Am 24. September ist eine neue Schwachstelle von bash bekannt geworden. „Neu“ ist dabei nur bedingt richtig – diese Schwachstelle existiert seit Jahrzehnten… Hier ein paar Links mit weiteren Infos.
Welche unserer Hersteller sind von dieser Schwachstelle betroffen.
- All versions of PAN-OS / Panorama – but only with ssh authenticated users
- Normally scheduled PAN-OS maintenance release updates will provide a fix for the vulnerability
Workarounds and Mitigations:
- This attack is mitigated by the fact that successful attack can only be performed by authenticated ssh PAN-OS users. As an additional mitigation, administrators can disable SSH access on any/all management interfaces configured on the device.
- Emergency Emergency Content Release 458 for CVE-2014-6271 Update and CVE-2014-7169 were already released
Fortinet will issue an official statement on that, but according to FortiGuard’s early testing, we may confidently say that FortiGates are not vulnerable.
- FortiAnalyzer (versions 5.0.X and 5.2.0) – authentication required to exploit
This vulnerability will be fixed in an upcoming patch of FortiAnalyzer.
- FortiAuthenticator – authentication required to exploit
This vulnerability will be fixed in an upcoming patch of FortiAuthenticator.
This vulnerability will be fixed in an upcoming patch of FortiDB.
- FortiManager (versions 4.3, 5.0.X and 5.2.0) – authentication required to exploit
This vulnerability will be fixed in an upcoming patch of FortiManager.
- AscenLink v7.X
This vulnerability will be fixed in an upcoming patch of AscenLink.
- FortiGate customers may apply the IPS signature „Bash.Function.Definitions.Remote.Code.Execution“ to protect systems accessible through a FortiGate. This IPS signature is available in the 5.552 IPS update, which will be deployed via FDS on the afternoon of September 25th.
- All Firebox and XTM models are not affected. The Fireware operating system is hardened to remove any unnecessary features, and does not include a Bash shell. WatchGuard Wireless Access Points, SSL 100 and 560, XCS, and QMS also do not include or install Bash. They are not vulnerable.The Linux distribution included in WatchGuard Dimension includes bash, but the exposure to this vulnerability is low since Dimension does not use AcceptEnv or CGI. Nevertheless Dimension automatically downloads security updates for its Linux components. Just make sure that you don’t have any upstream firewall that blocks access to security.ubuntu.com and archive.ubuntu.com.
- Only for Dimension Users: Download and deploy patches from your vendors immediately.
- The WatchGuard IPS signature team has developed and released a signature to identify exploits of the Bash vulnerability. It is included in signature set 4.454. If your Firebox and XTM appliances are configured to receive automatic updates, you will get the new signature.
- SEPPmail is not affected by the so-called “ShellShock vulnerability” (CVE-2014-7169, CVE-2014-6271).
- Shellshock Bash Vulnerability – No Impact to Corero Products
- A10 Thunder, AX, ID, and EX Series products
The A10 Thunder, AX, ID, and EX Series products include the GNU Bash shell and are therefore vulnerable to the Shellshock Bash bug. A10 Networks has not been able to replicate this condition remotely with A10 Thunder, AX, ID, or EX Series products. However, we are still researching several corner cases and we will update this advisory as we have new information. However, local exploitation is possible and we will be, therefore, providing patches to address this issue.