Issue
Does the Shellshock Vulnerability affect APC products?
Product Line
Environment
Linux/Unix Systems running Bash shell.
Cause
Reported vulnerabilities (CVE-2014-6271,CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
Resolution
September 29, 2014
Information Notice: Shellshock Vulnerability
Symptom - On 25-SEP-2014, the GNU Bourne Again Shell (Bash) Vulnerability, also called the "Shellshock" Vulnerability (CVE-2014-6271 and CVE-2014-7169) was detected and published by several Cyber Security outlets
Effect - An attacker may remotely execute shell commands by attaching malicious code in environment variables used by the operating system
Overview (via US-CERT)
A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.
Schneider Electrics' Data Center Business has conducted a vulnerability assessment on the following platforms and found the status of the current shipping versions as follows:
Cyber Security is an important element of Schneider Electrics' commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered.
Does the Shellshock Vulnerability affect APC products?
Product Line
- StruxureWare Data Center Expert
- StruxureWare Data Center Operation
- NetBotz Appliances
- APC Network Management Cards
- APC InfraStruXure Manager
- PowerChute Network Shutdown Virtual Appliance
- APC Digital IP KVM Switches (KVM1116P, KVM2116P, KVM2132P)
- MGE Network Management Cards (660XX)
- MGE Network Shutdown Module
Environment
Linux/Unix Systems running Bash shell.
Cause
Reported vulnerabilities (CVE-2014-6271,CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
Resolution
September 29, 2014
Information Notice: Shellshock Vulnerability
Symptom - On 25-SEP-2014, the GNU Bourne Again Shell (Bash) Vulnerability, also called the "Shellshock" Vulnerability (CVE-2014-6271 and CVE-2014-7169) was detected and published by several Cyber Security outlets
Effect - An attacker may remotely execute shell commands by attaching malicious code in environment variables used by the operating system
Overview (via US-CERT)
A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.
Schneider Electrics' Data Center Business has conducted a vulnerability assessment on the following platforms and found the status of the current shipping versions as follows:
- Data Center Operations (DCO) v7.4.0 is operating a version of BASH which is affected. A patch for this vulnerability is available now at DCIM Support (link) and in the released version v7.4.1.
Resolution: DCIM Support (link) and in the released version v7.4.1.
- Data Center Expert (DCE) v7.2.4 is currently operating a version of BASH which is affected. All earlier versions are also affected. A patch for this vulnerability is currently available in v7.2.5. Please contact your local APC Technical Support for the updated version.
- NetBotz Appliances do not utilize BASH and is therefore not affected.
- All Network Management Card (NMC) Applications do not utilize BASH and are therefore not affected.
- All versions of ISX Manager (ISXM) utilize a version of BASH which is affected. As this product is termed End Of Life, no updates will be made available for this platform.
- PowerChute Network Shutdown Virtual Appliance vulnerability information and details are available in knowledge base article ID FA234757.
- APC Digital IP KVM Switches (KVM1116P, KVM2116P, KVM2132P) do not utilize BASH and therefore are not affected.
- MGE Network Management Cards do not utilize BASH and therefore are not affected.
- MGE Network Shutdown Module does not utilize BASH and therefore is not affected.
Cyber Security is an important element of Schneider Electrics' commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered.