shellshock vulnerability

  • 26 September 2014
  • 3 replies

Userlevel 1
when can we reckon with a statement about the shellshock vulnerabilty ?
are there any advises regarding this problem to enterasys / extreme products to bypass the time untill an official statement / patches for the affected products are released?are there products which are for sure not affected ( products without a bash or without access to the bash) ?

Thank you for any reply



3 replies

Userlevel 2
Also definitely interested in the response to this. Based on preliminary testing, I spun up a Netsight vm with 6.1.0137 and it was running bash 4.2.24(1) which is in the range of vulnerable versions but I didn't receive the expected output when testing for a vulnerable version. I am concerned though because Netsight, NAC and Purview appliances are all running similar code it looks like and they have web servers on them so NAC would be a great attack vector for malicious worms.

I am not sure about the wireless controllers or XOS. Based on some googling it looks like XOS can running bash commands, but I am new enough to it that I am not sure how that works.

Looking forward to the updates soon.
Userlevel 7

An official statement should be made shortly. Let's wait for it for the detail.
EXOS shouldn't be exposed to this vulnerability.

Userlevel 2
It looks like extreme has published an official assessment at Scroll down the page to security materials to see the bash announcement.