New Vulnerability Affecting Cisco UC Products:
A new vulnerability in the Bash shell has been publicly announced. The vulnerability is related to the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell, depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and scripts hosted on web servers.
All versions of GNU Bash starting with version 1.14 are affected by this vulnerability and the specific impact is determined by the characteristics of the process using the Bash shell. In the worst case, an unauthenticated remote attacker would be able to execute commands on an affected server. However, in most cases involving Cisco products, authentication is required before exploitation could be attempted.
More Information and History:
This vulnerability has also been referred to as “Shellshock”, also known as Bashdoor, a family of security bugs which are a vulnerability in the widely used Unix Bash shell, which was first disclosed on September 24th, 2014.
Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
The bugs cause Bash to unintentionally execute commands when they are stored in specially crafted environment variables. Within days of the initial discovery and patching of Shellshock, intense scrutiny of the underlying design flaws discovered a variety of derivative vulnerabilities then present in Bash, which code-maintainers solved with a series of further patches.
Attackers exploited Shellshock within hours of the initial disclosure by creating botnets on compromised computers to perform distributed denial-of-service attacks and vulnerability scanning. Millions of attacks and probes related to the bug were recorded by security companies in the days following the disclosure. The bug could potentially be used to compromise millions of servers and other systems, and it has been compared to the Heartbleed bug in its severity.
What to do for your Cisco UC Environment:
For our Byteworks customers with Cisco UC Environments that include Cisco Unified Communications Manager, including Business Edition versions, between 8.5(1) and 10.5(1), we highly recommend you apply the “Batch Environment Variable Patch released on October 1, 2014 to your Cisco UC Environments. The Patch can be located here.
As always, if you have any questions or need any assistance applying this important security patch to your systems, please do not hesitate to contact Byteworks Support. (firstname.lastname@example.org/1-866-604-3832).
Byteworks Senior Solutions Engineer Aaron Harned also has an excellent write-up on Shellshock in general here.