Cisco, Oracle find dozens of their products affected by Shellshock

Cisco has identified 71 products vulnerable to Shellshock and Oracle 51, but the number is likely to increase

Cisco Systems and Oracle are hard at work identifying networking and other products in their portfolios that are affected by the critical Shellshock vulnerability.

The Shellshock vulnerability and several related ones found over the past week stem from errors in how the Bash command-line interpreter for Unix and Linux systems parses strings passed to it by external scripts. The flaws allow attackers to trick certain processes running on vulnerable machines to pass malicious strings to Bash that would then get executed as commands on the underlying OS.

Security researcher Rob Fuller has put together a collection of Shellshock proof-of-concept exploits gathered from various sources. The most well-known attack vectors are through Web servers that run CGI scripts and through SSH (Secure Shell) daemons, although other applications that interact with Bash are also potential targets.

Cisco has identified 71 products so far that are exposed to the vulnerability. These products serve various purposes, including network application, service and acceleration; network content and security; network management and provisioning; routing and switching; unified computing; voice and unified communications; video, streaming, TelePresence and transcoding.

The number of Cisco products vulnerable to Shellshock and related bugs far exceeds the 38 confirmed not to be vulnerable. The company is reviewing an additional 168 products and hosted services, so the list of vulnerable products is likely to increase.

"The impact of this vulnerability on Cisco products may vary depending on the affected product because some attack vectors such as SSH, require successful authentication to be exploited and may not result in any additional privileges granted to the user," Cisco said in its advisory.

Oracle is also in the process of identifying which of its products are vulnerable. So far the company has released Shellshock patches for nine products: Oracle Database Appliance 12.1.2 and 2.X; Oracle Exadata Storage Server Software; Oracle Exalogic; Oracle Exalytics; Oracle Linux 4, 5, 6 and 7; Oracle Solaris Operating System 8, 9, 10 and 11; Oracle SuperCluster; Oracle Virtual Compute Appliance Software and Oracle VM 2.2, 3.2 and 3.3.

An additional 42 products use Bash in at least one of their versions and are likely to be vulnerable to Shellshock, Oracle has found. No patches are currently available for those products. Four other products are currently being investigated to determine if they're using vulnerable Bash versions.

"Oracle has not assessed the impact of this vulnerability against products that are no longer supported by Oracle," the company said in its advisory.

Other vendors with products built on top of Linux, whether those are hardware appliances, SCADA platforms, specialized servers or embedded devices, are likely to release Shellshock patches in the near future.

The overall impact of the Shellshock vulnerability and the related Bash bugs is hard to quantify given the ubiquitous nature of this basic component in the Unix and Linux world and the fact that all Bash versions going back to 1993 are likely vulnerable. The multiple attack vectors only add to the complexity of determining which systems are at risk.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesCisco Systemssecuritypatch managementExploits / vulnerabilitiesOracle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?