shellshock vulnerability

  • 0
  • 6
  • Question
  • Updated 3 years ago
when can we reckon with a statement about the shellshock vulnerabilty ?
are there any advises regarding this problem to enterasys / extreme products to bypass the time untill an official statement / patches for the affected products are released?are there products which are for sure not affected ( products without a bash or without access to the bash) ?

Thank you for any reply


Photo of Patrick Graf

Patrick Graf

  • 120 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 6
Photo of Ben Parker

Ben Parker

  • 842 Points 500 badge 2x thumb
Also definitely interested in the response to this. Based on preliminary testing, I spun up a Netsight vm with 6.1.0137 and it was running bash 4.2.24(1) which is in the range of vulnerable versions but I didn't receive the expected output when testing for a vulnerable version. I am concerned though because Netsight, NAC and Purview appliances are all running similar code it looks like and they have web servers on them so NAC would be a great attack vector for malicious worms.

I am not sure about the wireless controllers or XOS. Based on some googling it looks like XOS can running bash commands, but I am new enough to it that I am not sure how that works.

Looking forward to the updates soon.
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 11,968 Points 10k badge 2x thumb

An official statement should be made shortly. Let's wait for it for the detail.
EXOS shouldn't be exposed to this vulnerability.

Photo of Ben Parker

Ben Parker

  • 842 Points 500 badge 2x thumb
It looks like extreme has published an official assessment at Scroll down the page to security materials to see the bash announcement.