Extreme Networks

Patrick_Graf · ‎09-26-2014

when can we reckon with a statement about the shellshock vulnerabilty ?
are there any advises regarding this problem to enterasys / extreme products to bypass the time untill an official statement / patches for the affected products are released?are there products which are for sure not affected ( products without a bash or without access to the bash) ?

Thank you for any reply

Regards,

Patrick

Ben_Parker · ‎09-27-2014

It looks like extreme has published an official assessment at http://www.extremenetworks.com/support/software/. Scroll down the page to security materials to see the bash announcement.

Stephane_Grosj1 · ‎09-26-2014

Hi,

An official statement should be made shortly. Let's wait for it for the detail.
EXOS shouldn't be exposed to this vulnerability.

Regards

Ben_Parker · ‎09-26-2014

Also definitely interested in the response to this. Based on preliminary testing, I spun up a Netsight vm with 6.1.0137 and it was running bash 4.2.24(1) which is in the range of vulnerable versions but I didn't receive the expected output when testing for a vulnerable version. I am concerned though because Netsight, NAC and Purview appliances are all running similar code it looks like and they have web servers on them so NAC would be a great attack vector for malicious worms.

I am not sure about the wireless controllers or XOS. Based on some googling it looks like XOS can running bash commands, but I am new enough to it that I am not sure how that works.

Looking forward to the updates soon.
Thanks

Extreme Networks

shellshock vulnerability

shellshock vulnerability