SA82 : GNU Bash Shellshock Command Injection Vulnerabilities

Management Center - VA

2 more products

1302

04 May 2021

25 September 2014

CLOSED

HIGH

CVSS v2: 10.0

SUMMARY

Blue Coat products using GNU Bash are vulnerable command injection flaws.  A remote attacker may exploit the flaws to execute arbitrary code with elevated privileges or cause a denial of service.

AFFECTED PRODUCTS

The following products are vulnerable:

Content Analysis System
CAS 1.1 and 1.2 prior to 1.2.1.3 are vulnerable.  CAS 1.3 and later releases are not vulnerable.

Director
Director 6.1 prior to 6.1.15.1, Director 5.x, and all previous versions are vulnerable.

Malware Analysis Appliance
MAA 1.1.x and 4.1.x are vulnerable.  MAA 4.2 is not vulnerable.

Malware Analyzer G2
All versions of MAG2 are vulnerable.

Management Center
Management Center 1.1, and 1.2 prior to 1.2.1.1 are vulnerable.  MC 1.3 and later releases are not vulnerable.

Norman Shark Industrial Control System Protection
All versions of ICSP prior to 5.3 are vulnerable.

Norman Shark Network Protection
All versions of NNP prior to 5.3 are vulnerable.

Norman Shark SCADA Protection
All versions of NSP prior to 5.3 are vulnerable.

Reporter
Reporter's ISO version (virtualized Reporter) 9.4 is vulnerable.  Reporter 9.x for Windows and Linux are not vulnerable.  Reporter 10.1 and later releases not vulnerable.

Security Analytics Platform
SA 6.x prior to 6.6.10, 7.0, and 7.1 prior to 7.1.5 are vulnerable.  SA 7.2 and later releases are not vulnerable.

X-Series XOS
All verions of XOS are vulnerable.  In order to exploit the vulnerabilities, an attacker must have a valid SSH login.  Hence, the CVSS v2 base score for XOS is 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C).

Patches

Fixes provided below address CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187.  Mitigations for CVE-2014-6277 and CVE-2014-6278 are provided, but the vulnerabilities are not fixed.  Fixes for Blue Coat products will be available after GNU Bash updates are published.

Content Analysis System
CAS 1.2 – a fix is available in 1.2.1.3 and later.
CAS 1.1 - a patch will not be provided. Please upgrade to the latest CAS release with the vulnerabilty fix.

Director
Director 6.1 – a fix is provided in the limited availability release 6.1.15.1.  Customers who cannot upgrade immediately may obtain a patch that can be applied to any 6.1 release. Cutomers are avised to upgrade to 6.1.14.1 before applying the patch. The patch is available under the 6.1.14.1 release for Director 510 and Director VA.
Director 5.5 – a patch will not be provided. Please upgrade to the latest Director release with the vulnerabilty fix.

Blue Coat DLP
Blue Coat DLP 7.1, 8.0, 8.1, 9.0 – a fix will not be provided. Please contact Digital Guardian technical support regarding vulnerability information for Blue Coat DLP.

Malware Analysis Appliance
MAA customers are advised to upgrade as soon as possible to release 4.1.7. Customers who cannot upgrade immediately may obtain patches for all versions by contacting Blue Coat Support.
MAA 4.1 – a fix is available in 4.1.7. Customers who upgraded to release 4.1.6 are advised to upgrade to 4.1.7 as soon as possible as release 4.1.6 only addresses CVE-2014-6271 and CVE-2014-7169.

Malware Analyzer G2
MAG2 4.1 and prior – a patch will not be provided. Please upgrade to the latest MAA 4.x release with the vulnerability fix.

Management Center
Management Center 1.2 – a fix is available in 1.2.1.1.
Management Center 1.1 – a patch will not be provided. Please upgrade to the latest Management Center release with the vulnerability fix.

Norman Shark Industrial Control System Protection
ICSP customers are advised to upgrade as soon as possible to the release listed below. Customers who cannot upgrade immediately may obtain patches for 5.2.1 and 5.1.0 from Blue Coat Support.
ICSP 5.2 – a fix is available as an automatic patch. Follow instructions in the product's main console to install.
ICSP 5.1 and earlier – a new release will not be provided. Please deploy the patch or upgrade to the latest ICSP release with the vulnerability fix.

Norman Shark Network Protection
NNP customers are advised to upgrade as soon as possible to the release listed below. Customers who cannot upgrade immediately may obtain patches for 5.2.1, 5.0.1, 5.0.0, 4.2.9, and 4.2.8 from Blue Coat Support.
NNP 5.2 – a fix is available as an automatic patch. Follow instructions in the product's main console to install.
NNP 5.0 and earlier – a fix will not be provided. Please deploy the patch or upgrade to the latest NNP release with the vulnerability fix.

Norman Shark SCADA Protection
NSP customers are advised to upgrade as soon as possible to the release listed below. Customers who cannot upgrade immediately may obtain patches for 5.0.1, 5.0.0, 4.2.9, and 4.2.8 from Blue Coat Support.
NSP 5.2 – a fix is available as an automatic patch. Follow instructions in the product's main console to install.
NSP 5.0 and earlier – a fix will not be provided. Please deploy the patch or upgrade to the latest NSP release with the vulnerability fix.

PacketShaper S-Series
PS S-Series 11.2 - a fix to replace the vulnerable version of bash is available in 11.2.1.6.
PS S-Series 11.1 - a fix to replace the vulnerable version of bash is available in 11.1.1.24. 

Reporter
Reporter 9.4 - an updated release with a fix will not be provided. An RPM to patch bash on the ISO version of Reporter is available on BTO.

Security Analytics Platform
Security Analytics customers are advised to upgrade as soon as possible to the releases listed below.  Customers who cannot upgrade immediately may use the non-standard release (NSR) to patch all vulnerabilities.  The NSR is available from Blue Coat Support for SA 7.1.4, 7.1.3, 7.1.2, 7.1.1, 7.1, 7.0, and 6.6.9.
SA 7.1 – a fix is available in 7.1.5.
SA 7.0 – a patch RPM to update the version of OpenSSL is available through Blue Coat Support.
SA 6.6 – a fix is available 6.6.10.
SA 6.0 – an updated release with a fix will not be provided.  Please upgrade to 6.6.10 or later.

SSL Visibility
SSL Visibility 3.8 – an updated version of bash is available in SSLV 3.8.3 that addresses all vulnerabilities.  An updated version of bash is available in SSLV 3.8.1 that addresses CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.
SSL Visibility 3.7 and earlier – a fix is available in 3.7.4-41. SSL Visibility customers are advised to upgrade as soon as possible to release 3.8.1 for all the latest features and defect fixes. Customers may apply upgrade patch 3.8.1 to any system running version 3.7.x.

X-Series
X-Series customers are advised to upgrade as soon as possible to the releases listed below. Customers who cannot upgrade immediately may use the patched RPMs for the related XOS branch to update their systems. The patched bash rpm should be applied to the CPM and VAP-Groups.
XOS 10.0 – a fix is available in 10.0.2.0 and later.
XOS 9.7 – a fix is available in 9.7.5.0 and later.
XOS 9.6 – a fix is available in 9.6.9.0 and later.
XOS 9.5 – a fix is available in 9.5.7.0 and later.
XOS prior to 9.5 – a fix will not be provided. Please upgrade to the latest XOS release with the vulnerability fix.

Fixes for MAA and Norman Shark products are available only through the update system provided by the product. Fixes for XOS are available only through the Salesforce portal.

ADDITIONAL PRODUCT INFORMATION

The following products contain a vulnerable version of bash, but are not vulnerable to known vectors of attack:

DLP
All versions of DLP have a vulnerable version of bash.

PacketShaper S-Series
PS S-Series 11.1 prior to 11.1.1.24 and 11.2 prior to 11.2.1.6 have a vulnerable version of bash.  PS S-Series 11.3 and later releases are not vulnerable.

SSL Visibility
All versions of SSLV prior to 3.8.3 have a vulnerable version of bash.  SSLV 3.8.4FC and later versions are not vulnerable.

The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
OPIC
PacketShaper
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Unified Agent

ISSUES

CVE-2014-6271 - CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-2014-7169 - CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-2014-6277 - CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-2014-6278 - CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-2014-7186 - CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-2014-7187 - CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
 
CVE-2014-6271 and CVE-2014-7169 are command injection flaws in the bash command interpreter.  An attacker could use these flaws to create specially crafted environment variables that override or bypass environment restrictions to execute shell commands with elevated privileges.
 
CVE-2014-7186 and CVE-2014-7187 are vulnerabilities discovered during the analysis of GNU Bash that an attacker could use to cause a denial of service, and possibly execute code with elevated privileges.  Patches for GNU Bash include fixes for these two vulnerablities.
 
CVE-2014-6277 and CVE-2014-6278 are additional command injection flaws in the bash command interpreter that were introduced due to an incomplete fix for CVE-2014-6271 and CVE-2014-7169.  Some patches for GNU Bash include mitigations for these two vulnerabilities.  Fixes are pending for GNU Bash.
 
Blue Coat products that install GNU Bash, and that do not provide additional protections against command injection through environment variables, are vulnerable.

Blue Coat products that are vulnerable or that have a vulnerable version of bash do not have fixes for CVE-2014-6277 or CVE-2014-6278.  Mitigations are provided through the fixes for the other four CVEs.  Fixes for Blue Coat products will be available after GNU Bash updates are published.

DLP includes a vulnerable version of bash.  However, the product is not vulnerable to any known vectors of attack.  DLP does not use CGI, PHP, or other web based services.  As other vectors of attack may be forthcoming, customers are encouraged to upgrade to the latest release that addresses the vulnerabilities in bash.

PacketShaper S-Series includes a vulnerable version of bash. However, the product is not vulnerable to any known vectors of attack. The S-Series does not use Apache services, mod_CGI, mod_cgid, PHP, or DHCP. And, the shell that is available to administrators is a custom shell that accepts only limited commands. As other vectors of attack may be forthcoming, customers are encouraged to upgrade to the latest release that addresses the vulnerabilities in bash.

SSL Visibility includes a vulnerable version of bash. However, the product is not vulnerable to any known vectors of attack. The web server does not utilize CGI or Apache services. The DHCP client sanitizes DHCP server responses. SSH access is restricted to authenticated users. And, there is no general purpose user shell that is accessible. As other vectors of attack may be forthcoming, customers are encouraged to upgrade to the latest release that addresses the vulnerabilities in bash.

X-Series XOS includes a vulnerable version of bash.  An attacker must log in to the control module via SSH prior to injecting shell commands.  The shell commands will be executed as the user logging into the SSH session.

X-Series customers running Check Point applications should contact Check Point directly regarding a resolution to CVE-2014-6271.  Additional information can be found in the secure knowledge base under sk102673.

MITIGATION

Limiting devices that can connect to affected systems may reduce the impact.  Patches are available for some products if customers cannot immediately upgrade.

REFERENCES

US-CERT Alert TA14-268A - https://www.us-cert.gov/ncas/alerts/TA14-268A
CERT Vulnerability Note VU#252743 - https://www.kb.cert.org/vuls/id/252743
Red Hat blog - https://access.redhat.com/blogs/766093/posts/1976383
Check Point Solution SK102673 - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_do...
Using ProxySG to prevent Shellshock - http://bluecoat.force.com/knowledgebase/articles/Solution/How-do-I-detec...

REVISION

2019-08-16 Reporter 10.2 and later releases are not vulnerable. Fixes for Blue Coat DLP will not be provided. Please contact Digital Guardian technical support regarding vulnerability information for Blue Coat DLP. SA status moved to Closed.
2019-01-20 Security Analytics 8.0 is not vulnerable.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-16 CAS 2.1 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable.  PacketShaper S-Series 11.7 is not vulnerable.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 are not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-15 Advanced Secure Gateway is not vulnerable.
2016-08-11 Security Analytics 7.2 is not vulnerable.
2016-07-15 SSLV 3.8.4FC and 3.9 are not vulnerable.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-26 A fix for PacketShaper S-Series 11.2 is available in 11.2.1.6.  PacketShaper S-Series 11.3, 11.4, and 11.5 are not vulnerable.
2016-06-07 MAA 4.2 is not vulnerable.
2016-05-26 IntelligenceCenter Data Collector is not vulnerable.
2016-05-25 Reporter 9.5 and 10.1 are not vulnerable.
2016-05-24 PolicyCenter S-Series is not vulnerable.
2016-05-23 A fix for CAS 1.1 will not be provided.  Please upgrade to the latest CAS release with the vulnerability fix.
2016-05-22 AuthConnector, General Auth Connector Login Application, and K9 are not vulnerable.
2016-05-21 MC 1.3, 1.4, and 1.5 are not vulnerable.
2016-05-20 CAS 1.3 is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-07 Mail Threat Defense is not vulnerable.
2016-03-09 ProxyAV ConLog and ConLogXP is not vulnerable.
2015-12-02 All fixes are available for Security Analytics Platform
2015-10-01 Fix is available for all bash vulnerablities in SSLV 3.8
2015-07-13 Title Update
2015-02-17 Minor formatting update
2015-02-11 Fix is available for SSLV 3.7.4
2014-12-23 Update to clarify XOS reduced CVSS score
2014-12-09 Fix is available for Security Analytics
2014-11-10 Fix is available for Security Analytics, Management Center, and Director
2014-11-07 Updated information for Security Analytics Platform, ICSP, NNP, and NSP
2014-10-10 Updated link for detecting/protecting against Shellshock, new patch for SSL Visibility is available
2014-10-08 Fixes available for CAS and Reporter
2014-10-07 Patches for Director 6.1 are available; new patch for MAA is available
2014-10-06 Patches for XOS are available; PacketShaper X-Series fix is available; fix for XOS 9.5 available; Norman Shark products added
2014-09-30 DLP contains a vulnerable version of bash; a fix is available for MAA; clarification on CVE-2014-6277 and CVE_2014-6278; clarified that Reporter for Windows and Linux are not vulnerable
2014-09-29 Fixes available for XOS; clarification on versions that will not be patched; included a statement on CVE-2014-7186 and CVE-2014-7187
2014-09-26 All versions of XOS and MAG2 are vulnerable; SSL Visibility and PS S-Series contain a vulnerable version of bash; added four CVEs for additional vulnerabilities discovered in GNU Bash
2014-09-25 Update to indicate that PacketShaper S-Series is under investigation, and that only Reporter's ISO version (virtual Reporter) is vulnerable.
2014-09-25 Update to indicate that Reporter and Management Center are vulnerable
2014-09-25 Initial public release