Security Notice Bash Vulnerability "Shellshock"Digi International Security Notice Bash Vulnerability "Shellshock"Digi International Security NoticeOctober 2nd, 2014 CVE-2014-6271 / CVE-2014-7169CVE-2014-7186 / CVE-2014-7187CVE-2014-6277 / CVE-2014-6278OverviewA critical security vulnerability (initially reported asCVE-2014-6271), nicknamed “Shellshock,” was discovered by Stephane Chazelas in the Bash command interpreter. The purpose of this notice is to inform you of the vulnerability, how it affects Digi products, and the steps necessary to remediate this issue. In our testing of this vulnerability, we found that there was not a single case where a remote attacker could gain unauthorized access to your device. Further, we have rated this vulnerability as a LOW risk to our customers.Affected ProductsThe security teams at Digi has evaluated the exposure of the vulnerability to Digi products and determined the overall risk to this vulnerability to our products is low. We have found that a small number of our products are slightly affected by this vulnerability, of which none are remotely exploitable. The following products are impacted:ConnectPort LTSDigi PassportDigi CMFollowing best security practices, Digi will be patching the Bash shell on these products. Digi recommends that all of its customers update their products to the new firmware versions (estimated availability is the week of October 6th, 2014).Products Not AffectedThe following Digi products and services are not affected by this vulnerability:Connect WAN, WAN 3G, ES, SP/Wi-SP, N2SConnectPort X2, X2e, X4, X4H, X5, WAN, TSNET+OSPortServer TSAnywhere USBTransPort routers running SarOSSarian Systems routers running SarOSNET+OSDigi Device CloudDigi Cloud ConnectorRabbitwww.digi.com WebsiteSocial MachineNote: If you have any questions on any Digi products and services that are not listed, please contact us at +1 (952) 912-3456, or via the web site at www.digi.com/support.Detailed Information on Affected productsBackgroundThe vulnerability, which started officially as CVE-2014-6271, and nicknamed “Shellshock”, has the potential to impacted many different applications on the Internet. This vulnerability is based in a common utility called Bash. The Bash shell has been around for close to 20 years, and it have been validated that this issue dates back to the earliest versions and use of the Bash shell. The Bash shell is used in so many different programs and platforms, that it is difficult to identify every use of it in every piece of software. Digi International maintains a security team that will continue to review new results as they are found from this threat, and test our solutions and products for any new and emerging security vulnerabilities. Security is a top priority and something we take very seriously.AnalysisWe have used various commercial scanners, as well as manual methods to conduct these tests and determine our results. For Shellshock, testing has been quite challenging, as there are possibly more hidden ways to exploit this vulnerability. This is why we are taking the approach to immediately build new firmware versions to fix the Bash vulnerability, and suggest to our customers that they update as soon as possible, even though this misclassified as a LOW risk at this time.Below is our analysis of the threat, the risk of what may be exposed, and how we recommend our customers mitigate the threat.Functions impacted:Internal Bash shell functionalityDHCP clientCommand line SSH functions, when connecting from a SSH client to the SSH Bash shell on the device.Functions NOT impacted: Below is a list of functions that are not impacted. This is not a complete list, but is meant to call out functions that customers may be concerned with that we have determined that are not affected.The device client connection to the Digi Device CloudHTTP internal web server device management functions.RiskFor generic risks of this vulnerability, see the Redhat FAQ link below. This covers the generic risks associated with this flaw. Due to the many ways that the bash shell can be used in programs and products, this flaw can pose many different vectors of threats to your applications. For specific risks to Digi international products, we have classified the risk of Shellshock to our products as LOW. During our testing, we were not able to find any remote exploits that this vulnerability has created. Further, we were not able to find any locations where a privilege escalation could become an issue. For each product tested, the Bash shell was identified as being affected, but in every case, except one, you needed to already have full access to the device in order to exploit the bug. Although US-CERT has rated this vulnerability as the highest (CVSS of10.0), the real threat with our devices is much lower.Risk of Shellshock to our products and services are:
- Authenticated SSH into an impacted device could unintentionally run commands as the authenticated user. If an environment variable is set in a specific way, a remote SSH session could carry this environment variable over to the vulnerable system and have it executed automatically.
- User generated programs and content using the Bash shell on these devices could be impacted.
- If a device is configured as a DHCP client, it is possible, that a rogue DHCP server on the same subnet of a device might be able to run arbitrary commands on the device. Although this can only be done from the local network, attempting this would be difficult. Further, the devices that are impacted, almost always are configured to NOT use DHCP. DHCP is usually only used on an initial configuration of the devices.
Risk needs to be determined by the end customer and how they have chosen to deploy the device within their environment. We make this determination based on the following criteria:
Suggested Steps to Protect Your DevicesTo fix or mitigate devices affected by this vulnerability, we suggest the following steps.Fixing Devices Update Firmware. The recommended fix for our devices is to update to a fixed Firmware version. Digi is releasing new firmware versions for all of the affected devices. Check this notice for firmware release versions and dates. You can also visit www.digi.com/support for more information specific to your device. We would also recommend subscribing to the RSS feed on the support site for your product to get immediate notice of any new firmware or document releases specific to your product.Mitigation StepsIf a firmware update is not available, we currently do not have any recommendation to mitigate this vulnerability. Because of the many different customer configurations, this list cannot be guaranteed to mitigate fully against this threat. It is up to the customer to validate that all of these steps will mitigate against the vulnerability.Resources for ShellshockIf you are interested in learning more about the disclosure, please feel free to visit the web pages below:
If you have any other questions regarding this vulnerability and how it affects Digi hardware products and the Digi Device Cloud, feel free to contact us at firstname.lastname@example.org.
- Most customers have deployed the devices within a network that is not reachable from the Internet.
- The vulnerability is not remotely exploitable. For each case tested, full access to the device was needed to even see the vulnerability.
- For the DHCP client vulnerability, we find that many of the configurations of these specific devices do NOT have DHCP running, and that DHCP is only used as an initial setup configuration.