Does the Shellshock Vulnerability affect APC products?

Issue

Does the Shellshock Vulnerability affect APC products?

Product Line

• StruxureWare Data Center Expert
• StruxureWare Data Center Operation
• NetBotz Appliances
• APC Network Management Cards
• APC InfraStruXure Manager
• PowerChute Network Shutdown Virtual Appliance
• APC Digital IP KVM Switches (KVM1116P, KVM2116P, KVM2132P)
• MGE Network Management Cards (660XX)
• MGE Network Shutdown Module

Environment

Linux/Unix Systems running Bash shell.

Cause

Reported vulnerabilities (CVE-2014-6271,CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)

Resolution

September 29, 2014

Information Notice: Shellshock Vulnerability

Symptom - On 25-SEP-2014, the GNU Bourne Again Shell (Bash) Vulnerability, also called the "Shellshock" Vulnerability (CVE-2014-6271 and CVE-2014-7169) was detected and published by several Cyber Security outlets

Effect - An attacker may remotely execute shell commands by attaching malicious code in environment variables used by the operating system

Overview (via US-CERT)
A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.

Schneider Electrics' Data Center Business has conducted a vulnerability assessment on the following platforms and found the status of the current shipping versions as follows:

• Data Center Operations (DCO) v7.4.0 is operating a version of BASH which is affected. A patch for this vulnerability is available now at DCIM Support (link) and in the released version v7.4.1.

• Data Center Expert (DCE) v7.2.4 is currently operating a version of BASH which is affected. All earlier versions are also affected. A patch for this vulnerability is currently available in v7.2.5. Please contact your local APC Technical Support for the updated version.

• NetBotz Appliances do not utilize BASH and is therefore not affected.

• All Network Management Card (NMC) Applications do not utilize BASH and are therefore not affected.

• All versions of ISX Manager (ISXM) utilize a version of BASH which is affected. As this product is termed End Of Life, no updates will be made available for this platform.

• PowerChute Network Shutdown Virtual Appliance vulnerability information and details are available in knowledge base article ID FA234757.

• APC Digital IP KVM Switches (KVM1116P, KVM2116P, KVM2132P) do not utilize BASH and therefore are not affected.

• MGE Network Management Cards do not utilize BASH and therefore are not affected.

• MGE Network Shutdown Module does not utilize BASH and therefore is not affected.

Cyber Security is an important element of Schneider Electrics' commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered.

게시 대상: 슈나이더 일렉트릭 Korea