Bash or the Bourne again shell has vulnerabilities in the way it handles environment variables when it is invoked. Under some scenarios, network based remote attackers can inject shell script that can be executed on a system. This is also known as "ShellShock".
These issues have been assigned CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278.
Products vulnerable to remote exploitation risks:
Products with bash and vulnerable to lesser security risks:
- Pulse Connect Secure (PCS), Pulse Policy Secure (PPS), MAG (in all versions): If the DMI Agent is enabled (either inbound or outbound), then authenticated administrative users can run arbitrary commands as root. The DMI Agent functionality is accessible only via the internal port or management port. Non-administrative users and unauthenticated remote attackers cannot access the DMI interface and cannot exploit the issue. Administrative users should not be able to run shell commands on the device, since this defect allows shell commands to be run it represents a risk to integrity of the system. The CVSS v2 base score for this scenario is 4.4 (AV:L/AC:M/Au:S/C:N/I:C/A:N).
Products with bash, but NOT affected by remote exploitation risks:
Our current assessment shows there is no risk of remote unauthenticated code execution on these products even though the products include bash. Scenarios required for known remote exploitation vectors do not exist on these products. As a precaution, bash in these products will be upgraded.
- Pulse Connect Secure (PCS)
- Pulse Policy Secure (PPS)
Products NOT affected:
- SBR Enterprise Edition is not vulnerable.
- SBR Global Enterprise Edition is not vulnerable.
Pulse Secure is investigating our product portfolio for affected software that is not mentioned above. As new information becomes available this document will be updated.
Sep 25, 2014: Initial release.
Sep 29, 2014: Updated the status of SSL VPN products as vulnerable to lesser security risks, updated the list of known CVEs related to shellshock issue.
Oct 22, 2014: Added Pulse Connect Secure (PCS) fixed release information.