Reset Search
 

 

Article

JSA10648 - 2014-09 Out of Cycle Security Bulletin: Multiple Products: Shell Command Injection Vulnerability in Bash

« Go Back

Information

 
Product Affected
Problem

Bash or the Bourne again shell has vulnerabilities in the way it handles environment variables when it is invoked. Under some scenarios, network based remote attackers can inject shell script that can be executed on a system. This is also known as "ShellShock".

These issues have been assigned CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278.

Products vulnerable to remote exploitation risks:

  • None.

Products with bash and vulnerable to lesser security risks:

  • Pulse Connect Secure (PCS), Pulse Policy Secure (PPS), MAG (in all versions): If the DMI Agent is enabled (either inbound or outbound), then authenticated administrative users can run arbitrary commands as root. The DMI Agent functionality is accessible only via the internal port or management port. Non-administrative users and unauthenticated remote attackers cannot access the DMI interface and cannot exploit the issue. Administrative users should not be able to run shell commands on the device, since this defect allows shell commands to be run it represents a risk to integrity of the system. The CVSS v2 base score for this scenario is 4.4 (AV:L/AC:M/Au:S/C:N/I:C/A:N).

Products with bash, but NOT affected by remote exploitation risks:

Our current assessment shows there is no risk of remote unauthenticated code execution on these products even though the products include bash. Scenarios required for known remote exploitation vectors do not exist on these products. As a precaution, bash in these products will be upgraded.
  • Pulse Connect Secure (PCS)
  • Pulse Policy Secure (PPS)
  • MAG

Products NOT affected:

  • SBR Enterprise Edition is not vulnerable.
  • SBR Global Enterprise Edition is not vulnerable.

Pulse Secure is investigating our product portfolio for affected software that is not mentioned above. As new information becomes available this document will be updated.

Modification History:
Sep 25, 2014: Initial release.
Sep 29, 2014: Updated the status of SSL VPN products as vulnerable to lesser security risks, updated the list of known CVEs related to shellshock issue.
Oct 22, 2014: Added Pulse Connect Secure (PCS) fixed release information.

 
Solution

Pulse Connect Secure (PCS) / MAG:

Fixes have been added to the following releases: 7.1R20.1,7.4R13.1 and 8.0R7 which are available for download from the Pulse Secure Licensing and Download Center at https://my.pulsesecure.net.

 

We are currently investigating our product portfolio for affected software and will work to provide fixes for any software that is found to be vulnerable. This document will be updated with version information as product updates become available.

Workaround
Workarounds for these issues include:
  • Use access lists or firewall filters to limit access to services such as HTTP, HTTPS, and SSH to only trusted hosts.
  • Do not use the device as a DHCP client on untrusted networks.
  • Limit shell access on any device to only trusted users.

It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment irrespective of a product's exposure to this issue. Always Use access lists or firewall filters to limit access to the devices only from trusted, administrative networks or hosts.

Workaround for Pulse Connect Secure (PCS), Pulse Policy Secure (PPS):

Disabling the DMI agent (both inbound and outbound) should completely mitigate associated security risks.

Implementation
Related Links
CVSS Score10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Risk AssessmentInformation for how Pulse Secure uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Pulse Secure's Security Advisories."
Acknowledgements
Pulse Secure SIRT would like to acknowledge and thank Stephane Chazelas for discovering CVE-2014-6271, Michal Zalewski for discovering CVE-2014-6277 and CVE-2014-6278, and Florian Weimer for responsibly coordinating disclosure of vulnerabilities.


 
Alert Type 
Risk LevelCritical
Legacy IDJSA10648

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255