UK
Security Advisories

FSC-2014-7: Notice on Bash "Shellshock" vulnerability

Description

The Bourne Again Shell (commonly known as Bash)  contains a vulnerability that attackers can exploit to format an environment variable, allowing them to specify arbitrary commands and perform remote code execution.

Affected Products

  • Risk Level (Low/Medium/High/Cricital) Critical
  • F-Secure Messaging Security Gateway 6.3.0 – 7.5.0
  • F-Secure Protection Service for Email 6.3.0 – 7.5.0

Platforms

  • Risk Level (Low/Medium/High/Cricital) Critical
  • Linux
  • Mac OS X

More Information

Shellshock is a critical vulnerability in GNU's Bash shell that gives attackers access to run remote commands on a vulnerable system via a specially crafted command. The vulnerability affects versions 1.14 to the most recent version 4.3. CVE-2014-6271 has been assigned for this issue.

Detection for in-the-wild samples exploiting this vulnerability has been added as Backdoor:Linux/ShellShock.A in database update Hydra 2014-09-26_01. The Threat Description page can be found here: Backdoor:Linux/ShellShock.

This advisory will be updated as more information becomes available.

Note: Products and platforms not listed in this advisory are NOT affected by Shellshock.

Patched, Requires User Action

The following products/platforms are affected and are already patched.

Product/Platform Requires User Action? (Y/N) Remarks
F-Secure Messaging Security Gateway 6.3.0 – 7.5.0 Yes

Verify that patch has been installed in the appliance.
MSG 6.3.0 – Patch 2035
MSG 7.0.2 – Patch 2036
MSG 7.1.0 – Patch 2037
MSG 7.2.0 – Patch 2038
MSG 7.5.0 – Patch 2039
F-Secure Protection Service for Email 6.3.0 – 7.5.0 Yes

Verify that patch has been installed in the appliance.
PSE 6.3.0 – Patch 2035
PSE 7.0.2 – Patch 2036
PSE 7.1.0 – Patch 2037
PSE 7.2.0 – Patch 2038
PSE 7.5.0 – Patch 2039

Not Affected, Requires User Action

The following products/platforms are not affected but require user interaction.

Product/Platform Remarks
F-Secure Linux Security
  1. F-Secure Linux Security depends on Operating System provided Bash.
  2. Countermeasure: Update Bash when made available by the Operating System update channel.

F-Secure Internet Gatekeeper
  1. F-Secure Internet Gateway depends on Operating System provided Bash.
  2. Countermeasure: Update Bash when made available by the Operating System update channel.
F-Secure Internet Gatekeeper Virtual Appliance (IGK VA)
  1. If the product fetches its network configuration from a DHCP server, it can be compromised by a rogue device that can advertise specially crafted DHCP responses on the same LAN segment.
  2. Countermeasure: Reconfigure the product from its console menu so it does not use DHCP. Manually set the networking parameters.
F-Secure Scanning Reputation Server Virtual Appliance (SRS VA)
  1. If the product fetches its network configuration from a DHCP server, it can be compromised by a rogue device that can advertise specially crafted DHCP responses on the same LAN segment.
  2. Countermeasure: Reconfigure the product from its console menu so it does not use DHCP. Manually set the networking parameters.

Date Issued: 2014-09-30
Date Last Modified: 2014-09-30