Security Advisories

FSC-2014-7: Notice on Bash "Shellshock" vulnerability

Description

Tha Bourne Again Shell (commonly known as Bash)  contains a vulnerability that attackers can exploit to format an environment variable, allowing them to specify arbitrary commands and perform remote code execution.

Affected Products

Risk Level: CRITICAL (Low/Medium/High/Critical)

Products

  • F-Secure Messaging Security Gateway 6.3.0 – 7.5.0
  • F-Secure Protection Service for Email 6.3.0 – 7.5.0

 

Platforms

Risk Level: CRITICAL (Low/Medium/High/Critical)

  • Linux
  • Mac OS X

More Information

Shellshock is a critical vulnerability in GNU's Bash shell that gives attackers access to run remote commands on a vulnerable system via a specially crafted command. The vulnerability affects versions 1.14 to the most recent version 4.3. CVE-2014-6271 has been assigned for this issue.

Detection for in-the-wild samples exploiting this vulnerability has been added as Backdoor:Linux/ShellShock.A in database update Hydra 2014-09-26_01. The Threat Description page can be found here: Backdoor:Linux/ShellShock.

This advisory will be updated as more information becomes available.

Note: Products and platforms not listed in this advisory are NOT affected by Shellshock.

Patched, Requires User Action

The following products / platforms are affected and are already patched.

Product/Platform Requires User Action? (Y/N) Remarks
F-SECURE MESSAGING SECURITY GATEWAY 6.3.0 – 7.5.0

Y

1. Verify that patch has been installed in the appliance.
2. MSG 6.3.0 – Patch 2035
MSG 7.0.2 – Patch 2036
MSG 7.1.0 – Patch 2037
MSG 7.2.0 – Patch 2038
MSG 7.5.0 – Patch 2039
F-SECURE PROTECTION SERVICE FOR EMAIL 6.3.0 – 7.5.0

Y

1. Verify that patch has been installed in the appliance.
2. PSE 6.3.0 – Patch 2035
PSE 7.0.2 – Patch 2036
PSE 7.1.0 – Patch 2037
PSE 7.2.0 – Patch 2038
PSE 7.5.0 – Patch 2039

Not Affected, Requires User Action

The following products / platforms are not affected but require user interaction.

Product/Platform Remarks
F-SECURE LINUX SECURITY 1. F-Secure Linux Security depends on Operating System provided Bash.
2. Countermeasure: Update Bash when made available by the Operating System update channel.
F-SECURE INTERNET GATEKEEPER 1. F-Secure Internet Gateway depends on Operating System provided Bash.
2. Countermeasure: Update Bash when made available by the Operating System update channel.
F-SECURE INTERNET GATEKEEPER VIRTUAL APPLIANCE (IGK VA) 1. If the product fetches its network configuration from a DHCP server, it can be compromised by a rogue device that can advertise specially crafted DHCP responses on the same LAN segment.
2. Countermeasure: Reconfigure the product from its console menu so it does not use DHCP. Manually set the networking parameters.
F-SECURE SCANNING REPUTATION SERVER VIRTUAL APPLIANCE (SRS VA) 1. If the product fetches its network configuration from a DHCP server, it can be compromised by a rogue device that can advertise specially crafted DHCP responses on the same LAN segment.
2. Countermeasure: Reconfigure the product from its console menu so it does not use DHCP. Manually set the networking parameters.

Advisory Changes

Date Changes
30 September 2014 First advisory published.

Date Issued: 2014-09-30
Date Last Modified: 2014-09-30

Get Support

For documentation and product support, visit our Support site.

Go Support

F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.

Go Community