Network Management

last person joined: 6 hours ago 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

This thread has been viewed 0 times

  • 1.  Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

    Posted Sep 25, 2014 09:25 AM

    Hi,

     

    Just wondering if this vunnerabilty affects the Airwave OS?

     

    Vulnerability Summary for CVE-2014-6271

    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

     

    https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

     

    Regards,

    Edward



  • 2.  RE: Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

    EMPLOYEE
    Posted Sep 25, 2014 10:55 AM

    Thanks, we're aware of this and are working to resolve it in a patch release.  If you contact support, you can just ask for updates on DE19781.  Here's more info:

     

    Update: 2014-09-25 03:10 UTC
    Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority.
    ---
    bash-4.1.2-15.el6_5.1 (RHSA-2014:1293-1)
    ---
    A flaw was found in the way Bash evaluated certain specially crafted
    environment variables. An attacker could use this flaw to override or
    bypass environment restrictions to execute shell commands. Certain
    services and applications allow remote unauthenticated attackers to
    provide environment variables, allowing them to exploit this issue.
    ---

     



  • 3.  RE: Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

    Posted Sep 25, 2014 10:58 AM

    Thank you for the information.

     

    Regards,

    Edward



  • 4.  RE: Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

    Posted Sep 25, 2014 02:29 PM

    How about ArubaOS? Is it vulnerable too? Like a 650 Controller to which VIA-VPN and RAPs connect?



  • 5.  RE: Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

    Posted Sep 25, 2014 10:56 AM

    I've come across two commands online that supposedly check the vulnerability:

     

    env X="() { :;} ; echo busted" /bin/sh -c "echo completed"

     

    env X="() { :;} ; echo busted" `which bash` -c "echo completed"

     

    From the output of the above two commands, it appears Airwave (8.0.1) is vulnerable to CVE-2014-6271.



  • 6.  RE: Curious - Does New and critical vulnerability called "shellshock" affect Airwave OS?

    Posted Sep 25, 2014 08:37 PM

     

    The question isn't whether bash is vulnerable, it's whether it is used in a manner that makes that vulnerability dangerous; e.g. is a webserver shelling out without purging its environment.

     

    In any case patching the hole is for the best, but as far as characterizing how much exposure Aruba products have endured, that is a big audit job and we'll just have to wait for the engineers to get through it.