Riverbed products affected by vulnerabilities in the Bash shell (“Shellshock” and others)

Categories:
Solution Number:
S24997
Last Modified:
2017-12-04
Issue


The National Institutes of Standards and Technology has issued multiple CVE notices for vulnerabilities found in the GNU Bash shell. Bash is a common component of most Linux distributions and is thus included in several Riverbed products. For more information, please refer to the following.

A flaw (“Shellshock”) in the Bash shell permits an attacker to inject arbitrary code, write files, cause denials of service, and execute arbitrary commands via specially crafted environment variables. Four separate notices were issued, as attackers continued to discover exploit mechanisms even after early patches were issued by the GNU Project.

Two flaws in the Yacc grammar definition (parse.y file) permit an attacker to cause denials of service or have other unspecified impacts via malformed “here” documents (“redir_stack”) and deeply nested “for” loops (“word_lineno”).

Please note: To receive real-time updates on this article, please click the Subscribe icon in the upper right corner of this article. Updates will be emailed to you as they are published. For additional information on how to subscribe, see S22384

Solution

Riverbed is actively working on identifying affected products and providing resolution for any products determined to be affected. As each product is updated, tested, and released, we will update this knowledge base article. Check back periodically to learn when updates to the products you use become available.

SteelHead | SteelApp | SteelCentral | SteelFusion | SteelStore | Riverbed Open Source | Xirrus WiFi



In the lists below, products are grouped together when the same information applies to all products in the group. For example, in the SteelHead section, the bulleted statements apply to all of the product names listed above the statements.

 


 

SteelHead Products:

SteelHead CX (appliance, virtual, and cloud)
SteelHead DX
SteelHead EX
SteelHead Interceptor
SteelCentral Controller for SteelHead
SteelCentral Controller for SteelHead Mobile
Riverbed Services Platform

Back to top

 


SteelApp products:

 

SteelApp Traffic Manager Virtual Appliance
  • Not vulnerable: the web interface does not expose a method to exploit the vulnerable Bash.
  • Vulnerable: if any interface is set to obtain an IP address through DHCP, the vulnerability is exposed. The DHCP client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the target machine.
  • Vulnerable: the default shell for SSH access is Bash. Even though authentication is required, the shell could be forced to run arbitrary commands passed through environment variables.
  • Vulnerable: any custom written scripts that execute with Bash could be used to deliver an exploit.
  • A fix for the vulnerable version of Bash is available in version 9.8r1 of the SteelApp Traffic Manager Virtual Appliance package. Download now at https://support.riverbed.com/content/support/software/steelapp/traffic-manager.html. See the release notes for details.
  • Alternately, if upgrading the installed package is not possible, a hotfix is available now from Riverbed for releases from 9.2 through 9.8 and can be installed using the web UI (choose System -> Traffic Managers -> Manage -> Software Upgrade). Download the appropriate hotfix:
SteelApp Traffic Manager software-only package
  • Vulnerable: the three cases that apply to the Virtual Appliance also apply to the software-only package.
  • Vulnerable: to remote exploits if the administrative UI port (default 9090) is exposed to an attacker and your distribution creates a symbolic link from /bin/sh to /bin/bash.
  • Consult your distribution's security information for details on patch availability and installation procedure.

SteelApp Web App Firewall
  • Not vulnerable: neither the standalone package nor the STM-integrated package contain the affected software.
  • New baselines were released: 201409250852. Added rule: bash injection CVE-2014-6271 and CVE-2014-7169.

SteelApp Web Accelerator
  • Not vulnerable: the standalone Web Accelerator does not contain the affected software.

SteelCentral Services Controller for SteelApp virtual appliance
  • Not vulnerable: SSH access is not directly exposed. Access to the command line requires authentication and authorization. The SSH daemon does not allow environment variables to be copied from the client, and the AcceptEnv configuration option cannot be enabled in any fashion.
  • Not vulnerable: a CGI path exists, but is not written in Bash and does not spawn subshells. HTTP headers are not set as environment variables.
  • Vulnerable: if any interface is set to obtain an IP address through DHCP, the vulnerability is exposed. The DHCP client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the target machine. Current remediation is to configure a static IP address.
  • The Services Controller virtual appliance is based on RiOS, the same software framework as SteelHead. A fix for the vulnerable versions of Bash will be included in a forthcoming release. Please check the download page for availability.

SteelCentral Services Controller for SteelApp software-only package
  • Not vulnerable: the Services Controller software does not use environment variables to pass connection data and does not execute any processes in the shell.

SteelCentral Services Controller for SteelApp instance host
  • Vulnerable: the instance host package contains a vulnerable version of Bash.
  • Please contact Riverbed support to obtain an updated instance host package.
 
Additional information
Riverbed has published on the Community website a TrafficScript rule to protect against "Shellshock" bash vulnerability (CVE-2014-6271). Please see https://community.riverbed.com/helpcenter/s/article/DOC-4707 to obtain the code.
 

Back to top

 


SteelCentral products:


NetShark versions 9.5.0 and later

  • Vulnerable: the command line interface (CLI) is vulnerable only when accessed from SSH and only when an attacker can successfully log into the appliance. The recommended workaround is to disable SSH access to the system (log into the web UI, choose Settings -> Basic Settings -> Uncheck "Enable Secure Shell (SSH) Access").
  • Vulnerable: if the management interface(s) eth0/eth1 are set to obtain an IP address through DHCP, the vulnerability is exposed. The DHCP client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine. Current remediation is to configure the management interfaces with a static IP address (log into the web UI choose Settings -> Basic Settings -> Uncheck "Enable DHCP on eth0/eth1" and then set a static IP address).
  • Not vulnerable: the web interface and the RESTful API (both accessible through the HTTPS protocol) are not vulnerable. NetShark incorporates a special purpose web server that doesn't support CGI execution and doesn't use external Bash scripts to process the HTTP requests.
  • A fix for the vulnerable versions of Bash is available in NetShark software version 10.7.1. Download now at https://support.riverbed.com/content/support/software/steelcentral-npm/net-shark.html. Prior versions of the software will not be patched.

NetProfiler versions 9.5.0 and later
NetExpress versions 9.5.0 and later
Flow Gateway versions 9.5.0 and later
Cascade Sensor versions 9.5.0 and later

  • Vulnerable: the command line interface (CLI) is an unrestricted Bash shell and is vulnerable only when an attacker can successfully log in.
  • Vulnerable: the initial configuration of the appliance from the factory will attempt to use DHCP to obtain an IP address. The DHCP client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine. Current remediation is to perform the initial system configuration in a staging area that has no access to the public Internet.
  • Not vulnerable: the web interface and the RESTful API (both accessible through the HTTPS protocol) are not vulnerable. The products do not use CGI or copy data from the HTTP headers into the environment when running any external programs on the system.
  • A fix for the vulnerable versions of Bash is available in NetProfiler/NetExpress/Flow Gateway/Cascade Sensor software version 10.7.1. Download now at https://support.riverbed.com/content/support/software/steelcentral-npm/net-profiler.html.
  • Alternately, if upgrading the installed software is not possible, a hotfix is available from Riverbed for software versions 10.0.8 (Mazu legacy products) and 10.6.1 (Intel legacy products). Download now at https://support.riverbed.com/content/support/software/steelcentral-npm/net-profiler.html, Select 10.0.8 or 10.6.1 (whichever applicable) from the drop-down menu and follow instructions documented in KBS25211 to apply the hot-fix. Other versions will not be patched.

 

NetShark versions before 9.5.0
NetProfiler versions before 9.5.0
NetExpress versions before 9.5.0
Flow Gateway versions before 9.5.0
Cascade Sensor versions before 9.5.0

  • These versions are no longer supported and will not be patched.

AppResponse

  • Not vulnerable: AppResponse employs Bash to perform some background processing. Currently there is no known method to invoke Bash without privileged, support-level access that makes it susceptible to Shellshock. However, security scans of AppResponse (releases 9.0.3 and earlier) may observe the Bash version number and flag this as a high severity vulnerability.
  • A fix for the vulnerable versions of Bash will be included in AppResponse software version 9.5.2 and higher. Please check the download page for availability.

UCExpert virtual appliance and software-only package

  • Vulnerable: the command line interface (CLI) is an unrestricted Bash shell and is vulnerable only when an attacker can successfully log in. Certain administrative scripts rely on Bash.
  • A fix for the vulnerable versions of Bash is available in UCExpert virtual appliance version 5.0.1. Download now at https://support.riverbed.com/content/support/software/steelcentral-npm/ucexpert.html. For UCExpert software-only installations, please consult your distribution's security information for details on patch availability and installation procedure.

AppInternals
AppMapper
NetCollector
NetSensor
NetAuditor
Provisioner
Dashboards
NetPlanner

  • Not vulnerable. Bash is not included in the shipping products. Furthermore, shells are not accessible nor are they used for processing information. Embedded web servers do not use CGI.

 

Modeler

  • Not vulnerable: Bash is not included in the shipping product. Furthermore, shells are not accessible nor are they used for processing information. No web servers are included in the products.

Packet Analyzer
Transaction Analyzer
AirPcap driver

  • Not vulnerable, as these are Windows applications.

 

Back to top

 


SteelFusion products:

SteelHead EX
Granite CORE 
(appliance or virtual)

  • Not vulnerable: SSH access is not directly exposed. Access to the command line requires authentication and authorization. The SSH daemon does not allow environment variables to be copied from the client, and the AcceptEnv configuration option cannot be enabled in any fashion.
  • Not vulnerable: a CGI path exists, but is not written in Bash and does not spawn subshells. HTTP headers are not set as environment variables.
  • Vulnerable: if any interface is set to obtain an IP address through DHCP, the vulnerability is exposed. The DHCP client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the target machine. Current remediation is to configure a static IP address.
  • A fix for the vulnerable versions of Bash will be included in the following software versions. Please check the download page for availability. Additional SteelFusion family products will be added to this list shortly; be sure to check back. Prior versions of the software will not be patched.
     

Back to top

 


SteelStore products (This product line has been acquired by NetApp - please contact NetApp Support for information regarding this vulnerability):

 

  • Not vulnerable: SSH access is not directly exposed. Access to the command line requires authentication and authorization. The SSH daemon does not allow environment variables to be copied from the client, and the AcceptEnv configuration option cannot be enabled in any fashion.
  • Not vulnerable: a CGI path exists, but is not written in Bash and does not spawn subshells. HTTP headers are not set as environment variables.
  • Vulnerable: if any interface is set to obtain an IP address through DHCP, the vulnerability is exposed. The DHCP client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the target machine. Current remediation is to configure a static IP address.
  • A fix for the vulnerable versions of Bash is available in SteelStore software version 3.1.2e. Download now at https://support.riverbed.com/content/support/software/steelstore.html. Prior versions of the software will not be patched

 

Back to top

 


Riverbed Open Source:

Wireshark

  • Not vulnerable: Wireshark does not contain Bash code.

WinPcap
WinDump

  • Not vulnerable, as these are Windows products.

 

Back to top
 


Xirrus WiFi:

Background
CVE-­2014‐6271 refers to a flaw found in Bash functionality that evaluates specially formatted environment variables that are passed to it from another environment. Bash is a Unix shell written for GNU operating system. It has been widely used as the default shell on Linux and Apple Mac computers and laptops.  CVE-­2014-­6271 is also known colloquially as the "ShellShock vulnerability."

The US Government National Vulnerability Database has rated the ShellShock vulnerability as 10/10 for severity and "low" in terms of complexity -­ meaning it is very easy to exploit.  

An attacker could use this feature to override or bypass restrictions to the environment and potentially execute shell commands before restrictions have been applied. This vulnerability allows anyone that has shell access on a Unix/Linux system to execute arbitrary code and could be used, as an example, to download malware into your machine, read or send emails, copy personal data, turn on the computer's microphone or webcam, etc.  

What must be done to clients (laptops, tablets, phones, etc.) to remediate this issue?
Bash is most commonly found on computers running Linux operating systems such as set top boxes, smart TVs, and others.  In addition, most Apple Mac computers running Mac OS X use Bash. If you own a Mac laptop/desktop or running a Linux operating system, you are most likely affected by this vulnerability. Please check with your supplier for a maintenance fix.

What server side actions can be done to remediate this issue?
Most of the web servers that run Apache use Bash and are most likely affected by shellshock. Please check with your supplier for a maintenance fix.

How are public-­facing Xirrus products with embedded web servers affected?
Product url Fix
Xirrus XMS-­Cloud https://login.xirrus.com Updated 9/25/2014
Xirrus XMS-­Enterprise in the Cloud https://cloud.xirrus.com Deployment of 7.0.6 starts 10/6/2014
Xirrus Wi-­Fi Designer‐Cloud https://wfd.cloud.xirrus.com  Updated 9/26/2014 Updated 9/26/2014

How are private-­facing Xirrus products with embedded web servers affected?
Products Version Fix
XR Arrays and APs
500/600/1K/2K/4K/6K/7K
AOS 7.0.5 and prior releases Not Affected
XN Arrays AOS 6.4.7 and prior releases Not Affected
Wi-­Fi Designer-­Enterprise 1.8.1 Not Affected
XMS‐Enterprise 7.0.5 used in VMWare, Hyper-­V and Hardware Appliances  7.0.6 for VM & Hyper-­V Release Date ­‐ 9/30/2014 7.0.6 for HW Appliances Release Date ‐ 10/2/2014
XMS-­‐Enterprise 7.0.5 used on Windows Not Affected

Xirrus holds the security of our customers in the highest regard.  Should you have any other questions or concerns about this vulnerability, please contact Xirrus Support at support@xirrus.com or via telephone at one the following numbers:
 
United States and Canada +1.800.947.7871 (US Toll Free) or +1.805.262.1600 (Direct)
Europe, Middle East, and Africa +44.20.3239.8644
Australia 1.300.947.787 (Within Australia)
Asia and Oceania +61.2.8006.0622
Latin, Central, and South America +1.805.262.1600
 

Back to top

 

Environment

CVE-2014-6271 and CVE-2014-7169 (a.k.a. Bash shell vulnerability, a.k.a. Shellshock)

Attachments
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case