Bash “Shellshock” vulnerability
| Advisory ID | CVE Number | Date discovered | Severity | Advisory revision |
|---|---|---|---|---|
| STORM-2014-001 | CVE-2014-6271 | 09/25/2014 | medium | v1 |
Vulnerability details
A vulnerability has been disclosed in the bash command interpreter (CVE-2014-6271). Its exploitation could lead to a remote code execution on the targeted system.
Impacted products
| Products | Severity | Detail |
|---|---|---|
| Fast360 | medium | The version of the bash interpreter on Fast360 appliances is vulnerable. At the time of writing, preliminary studies showed that this vulnerability may be exploited only with a non-standard configuration of the DHCP client (« cable interface » with arkoonconfig key "dhcp-client.get-dns-servers=yes"), with conditions different from the attacks available on Internet. However, due to the central role of bash, other non-identified vectors may be discovered allowing to exploit this vulnerability. A preventive update is scheduled for Fast360 as soon as possible. |
Revisions
| Version | Date | Description |
|---|---|---|
| v1 | 09/25/2014 | Initial release |
Fast360 |
CVSS v2 Overall Score: 5.1
|
Analysis |
Impacted version |
|
The Fast360 products include a vulnerable version of the bash command interpreter. At the time of writing, this vulnerability may be exploited only with a non-standard configuration of the DHCP client (“Cable modem interface” with the arkoon-config key “dhcp-client.get-dnsservers=yes”). The attacker needs to access the physical link connected to the cable modem interface. Due to the central role of the bash interpreter, other non-identified attack vectors may be discovered. Consequently, preventive updates are available in Fast360 5.0/32 and 5.0/6 versions |
|
Workaround solution |
Solution |
|
Concerning the DHCP client exploitation, the following workaround can be applied:
|
Fast360 5.0/32 and Fast360 6.0/6 versions include a fix for this problem. We recommend you to update your version as soon as possible. |
| Access vector | Access complexity | Authentication | Confidentiality impact | Integrity impact | Availability impact |
|---|---|---|---|---|---|
| Local | High | None | Complete | Complete | Complete |
| CVSS Base score: 6.2 | CVSS Vector: (AV:L/AC:H/Au:N/C:C/I:C/A:C) |
| Exploitability | Remediation Level | Report Confidence |
|---|---|---|
| Unproven that exploit exists | Workaround | Unconfirmed |
| CVSS Temporal score: 4.5 | CVSS Vector: (AV:L/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:W/RC:UC) |
| Collateral Damage Potential | Target Distribution |
|---|---|
| Low | High [76-100%] |
| CVSS Environmental score: 5.1 | CVSS Vector: (AV:L/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:W/RC:UC/CDP:L/TD:H/CR:ND/IR:ND/AR:ND) |