Knowledgebase
Update on Shellshock Bash
Posted by Symeon Cutts on 30 September 2014 01:44 PM
Last updated: Sept 29, 2014 16h00
 
Subsequent to the discovery of the Shellshock Bash Linux security flaw in recent days - (CVE-2014-6271), Haivision and Techex would like to draw your attention to any potential impact on the Haivision product lines. 
 
Description:
 
The version(s) of Bash installed on all Haivision hardware products are vulnerable and their vulnerability is still being assessed.
 
The version(s) of Bash installed on all Haivision software products is vulnerable, but our initial assessment reveals that vulnerability is extremely limited.
 
Below are details of the limited software vulnerability:
 
The only remotely exploitable vulnerability exposed by this issue given our analysis is when using ForceCommand in SSH, which is supposed to limit which commands can be executed after authentication.
 
The ConsoleUI that makes up part of systems, is not remotely exploitable, since it is a python script and only executes Bash after authentication. At worst, an attacker could break out of the ConsoleUI to get a full shell, but they would need ssh credentials to further exploit the system.
  • Other scenarios identified : 
  • Apache w/ mod_cgi : Haivision does not use this in any product. 
  • Apache w/ mod_php : It is not vulnerable. 
  • Ngnix and/or node.js : Vulnerability is unknown at the moment. 
  • RedHat has issued several patches to fix this issue, and continue to monitor the situation for additional follow up. 
 
Once Redhat concludes and issues any additional fixes, Haivision will incorporate into any updates required to secure all Haivision products.
 
Haivision is monitoring the situation closely and allocating the necessary resources to address this situation.
 
Once additional information or fixes are available, Haivision will take the necessary steps to update this page. 
 
For more information on this issue, please visit :
 
 
If you have further questions or concerns, you may contact the Techex support Team

Comments (0)
Techex Support Services - Support Case Manager