Network Management

Reply
eip
Occasional Contributor II
Posts: 22
Registered: ‎02-08-2008

Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

Hi,

 

Just wondering if this vunnerabilty affects the Airwave OS?

 

Vulnerability Summary for CVE-2014-6271

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

 

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

 

Regards,

Edward

Moderator
Posts: 1,251
Registered: ‎10-16-2008

Re: Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

Thanks, we're aware of this and are working to resolve it in a patch release.  If you contact support, you can just ask for updates on DE19781.  Here's more info:

 

Update: 2014-09-25 03:10 UTC
Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.
---
bash-4.1.2-15.el6_5.1 (RHSA-2014:1293-1)
---
A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue.
---

 


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Occasional Contributor I
Posts: 10
Registered: ‎10-20-2010

Re: Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

I've come across two commands online that supposedly check the vulnerability:

 

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"

 

env X="() { :;} ; echo busted" `which bash` -c "echo completed"

 

From the output of the above two commands, it appears Airwave (8.0.1) is vulnerable to CVE-2014-6271.

eip
Occasional Contributor II
Posts: 22
Registered: ‎02-08-2008

Re: Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

Thank you for the information.

 

Regards,

Edward

Frequent Contributor II
Posts: 116
Registered: ‎05-03-2013

Re: Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

How about ArubaOS? Is it vulnerable too? Like a 650 Controller to which VIA-VPN and RAPs connect?

Super Contributor I
Posts: 268
Registered: ‎04-04-2014

Re: Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

 

The question isn't whether bash is vulnerable, it's whether it is used in a manner that makes that vulnerability dangerous; e.g. is a webserver shelling out without purging its environment.

 

In any case patching the hole is for the best, but as far as characterizing how much exposure Aruba products have endured, that is a big audit job and we'll just have to wait for the engineers to get through it.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: