September 26, 2014, SUNNYVALE, Calif.—(BUSINES WIRE)
(CVE-2014-6271 and CVE-2014-7169)
Vulnerability
GNU Bash (Bourne-again shell) is a Unix shell for the GNU Project that has been distributed widely as a default shell on Linux. Bash is a terminal–based command interpreter.
GNU Bash (through version 4.3) has vulnerability when processing certain environment variables. Trailing strings after the function definition in the environment variables can be exploited to change or bypass the environment restrictions allowing execution of remote shell commands.
Severity
This vulnerability has widespread impact for any organization or user that has Bash enabled on a server, desktop or device. It can affect OpenSSH sshd using the ForceCommand function, Apache server using mod_cgi or mod_cgid, DHCP clients, and other applications that uses bash as an interpreter.
Hillstone’s Announcement
1. Hillstone M-series, G series, and X series products use StoneOS developed by Hillstone Networks. GNU Bash is not used by StoneOS so it is not affected by this vulnerability.
2. Hillstone T-series products use GNU Bash 4.3 and earlier versions. However bash is not used as an interpreter to process external inputs. Consequently, the bash bug does not affect these products. However, customers using T-series products can contact Hillstone Technical Support for the latest patches.
3. HSM and HSA use GNU Bash 4.3 and earlier versions, but Bash is not used as an interpreter to process external inputs. Consequently, the Bash bug does not affect these products. However, HSM and HSA customers can contact Hillstone Technical Support for a patch.
4. Hillstone M-series/G-series/T-series has upgraded its IPS signature database to detect attacks that exploit this vulnerability. Customers are encouraged to upgrade their IPS signature database to the latest version.
