bash security update (RHSA-2014-1293, RHSA-2014-1294, RHSA-2014-1306, RHSA-2014-1311)

Original Release Date: September 26, 2014
Last Revised: February 10, 2015
Number: ASA-2014-369
Risk Level: High
Advisory Version: 17.0
Advisory Status: Final

1. Overview:

The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux.

A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-6271 to this issue.

It was also found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 to these issues.

More information about these vulnerabilities can be found in the security advisory issued by Red Hat:

2. Avaya System Products using a modified version of RHEL 4, 5 or 6 with affected packages installed:

Product: Affected Version(s): Risk Level: Actions:
Avaya Aura® Application Enablement Services 5.x, 6.x High Install the security patch as described in PSN004303u.
Avaya Aura® Application Server 5300:
  • SIP Core
2.x, 3.x Medium Install the security patch as described in PSN004306u.
Avaya Agile Communication Environment® 3.x, 6.x High For 3.x, install the security patch as described in 'Applying patch to prevent the Shellshock security threat' section of ACE 3.0.4 Release Notes.
For 6.x, install the security patch as described in 'Applying patch to prevent the Shellshock security threat' section of ACE 6.2.2 Release Notes.
Avaya Aura® Contact Center using Avaya Media Server on Linux 6.4 through 6.4 SP13 High Install the security patch as described in PSN004321u.
Avaya IQ 5.x High Install the security patch as described in Avaya IQ Patch for Shell Shock Vulnerability.
Avaya CMS R17.x Medium Install the security patch as described in PSN004209u.
Avaya Aura® Collaboration Environment 2.x, 3.x High Install the security patch as described in PSN004314u.
Avaya Aura® Communication Manager 5.x, 6.x High Install the security patch as described in PSN020149u.
Avaya Communication Server 1000:
  • CS1000E
  • CS1000M
  • CS1000E/CS1000M Signaling Server
6.x, 7.x Medium For CS1000 6.x and 7.0, upgrade to 7.6 and install the security patch as described in PSN004297u.
For CS1000 7.5 or 7.6, install the security patch as described in PSN004297u.
Avaya Aura® Conferencing 7.0 through 7.2 SP5, 8.0 through 8.0 SP1 Low For 7.x, upgrade to 7.2 SP6 or later.
For 8.x, upgrade to 8.0 SP2 or later.
Avaya Aura® Conferencing Standard Edition 6.x High Install the security patch as described in PSN004350u.
Avaya Aura® Experience Portal 6.0.x, 7.0.x High Install the bash update as described in Avaya Enterprise Linux Bash Update for 6.0.x or 7.0.x.
Avaya IP Office Server Edition 8.1, 9.x High Install the bash update as described in IP Office Technical Tip #271.
Avaya IP Office Application Server 8.x, 9.x High Install the bash update as described in IP Office Technical Tip #271.
Avaya Meeting Exchange 5.x, 6.x High Install the security patch as described in PSN004350u.
Avaya Message Networking 5.2 through 5.2 SP5, 6.3 GA, 6.3 GA Patch1 High For 5.x, upgrade to 5.2 SP6 or later.
For 6.3, upgrade to 6.3 GA Patch2 or later.
Avaya Media Processing Server 4.x High For customers and partners with active maintenance contracts, please contact your Avaya support representative or follow your region specific RMA process to acquire the MPS Red Hat Linux patch DVD which includes many security updates along with resolution of the Bash shell security vulnerabilities. Please reference: NTV80902 ASSY, DVD, MPS 4.1 Red Hat Enterprise Linux Patch 2014-09.
Avaya Aura® Messaging 6.x High Install the security patch as described in PSN004307u.
Avaya Message Storage Server for Modular Messaging 5.x High Install Avaya Modular Messaging 5.2 MM521801 Service Pack 18 Patch 1.
Avaya one-X® Client Enablement Services 6.1.x, 6.2.x High For 6.1.x and 6.2.0, upgrade to 6.2.3 and install the security patch as described in PSN004344u.
For 6.2.2 and 6.2.3, install the security patch as described in PSN004344u.
Avaya Aura® Presence Services 6.x High For 6.0 through 6.2.4, upgrade to 6.2.5 and install the security patch as described in PSN029014u.
For 6.2.5, install the security patch as described in PSN029014u.
Avaya Proactive Contact 4.x, 5.x High For 4.x, install the security patch as described in PSN004362u.
For 5.x, install the security patch as described in PSN004357u.
Avaya Aura® Session Manager 6.x Medium Install the security patch as described in PSN004332u.
Avaya Aura® System Manager 6.x High Install the security patch as described in PSN004331u.
Avaya Aura® System Platform 6.x High Install the security patch as described in PSN027007u.
Avaya Aura® Communication Manager Utility Services 6.x High Install the security patch as described in PSN027009u.
Avaya Virtual Application Application Manager 6.2.x High Install the security patch as described in PSN027008u.
Avaya Voice Portal 5.1.x High Install the bash update as described in Avaya Enterprise Linux Bash Update for VP 5.1.
WebLM 6.x High Install the security patch as described in PSN004331u.

Recommended Actions for System Products:
Avaya strongly recommends following networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but the System Product operating system or application should not be modified unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract.

Mitigating Factors:

When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products:

Vulnerability Mitigating Factors
CVE-2014-6271
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
The risk is rated Low for Conferencing because the exploit requires a local user account; all local users are privileged users and no additional capabilities would be gained by this exploit.
The risk is rated Medium for CMS, AS5300, CS1000 and Session Manager because the exploit requires a local user account and would allow escalation of privileges.
The risk is rated High for all other products because exploiting this vulnerability could bypass security restrictions and allow shell commands to be executed.

3. Avaya Software-Only Products:

Avaya software-only products operate on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.

In the case of this advisory Avaya software-only products are not affected by the vulnerability directly but the underlying Linux platform may be. Customers should determine on which Linux operating system the product was installed and then follow that vendor's guidance.

Product: Actions:
Avaya Aura® Application Enablement Services Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the AES application.
Avaya Aura® Contact Center Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the AES application.
CVLAN Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the CVLAN application.
Avaya Aura® Experience Portal Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the EP application.
Avaya Call Recorder Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the Call Recorder application.
Avaya IQ Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the IQ application.
Avaya Integrated Management Suite (IMS) Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the IMS application.
Avaya Multimedia Messaging Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the Multimedia Messaging application.
Avaya one-X® Client Enablement Services For customers who have installed directly on Linux, the customer should refer to their Linux vendor's instructions for resolving this issue.
Avaya Aura® Presence Services Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the PS application.
Avaya Voice Portal Depending on the Operating System installed, the affected package may be installed on the underlying Operating System supporting the SAL Gateway application.

Recommended Actions for Software-Only Products:
In the event that the affected package is installed, Avaya recommends following recommended actions supplied by Red Hat regarding their Enterprise Linux.

4. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

5. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

6. Revision History:

V 1.0 - September 26, 2014 - Initial Statement issued.
V 2.0 - October 1, 2014 - Removed versions that reached "End of Manufacturing Support" for CM, Session Manager, System Manager and System Platform and updated CM actions.
V 3.0 - October 1, 2014 - Updated CM actions to reflect the patch numbers for individual releases.
V 4.0 - October 2, 2014 - Updated Communication Server 1000 actions.
V 5.0 - October 3, 2014 - Updated Presence Services actions.
V 6.0 - October 6, 2014 - Added Voice Portal to Section 2 and Section 3 and updated Experience Portal actions.
V 7.0 - October 7, 2014 - Added Media Processing Server and WebLM to the list of products impacted and updated AS5300 and System Platform actions.
V 8.0 - October 8, 2014 - Updated CM and CMS actions with PSN information.
V 9.0 - October 9, 2014 - Updated AES and Messaging actions with PSN information. Removed SAL Gateway from Section 3 and added Voice Portal and IQ. SAL Gateway is addressed in ASA-2014-377.
V 10.0 - October 10, 2014 - Updated MSS actions. Added Avaya Aura Contact Center to Secion 2 and Section 3.
V 11.0 - October 14, 2014 - Updated MN actions. Added AVAM to Section 2 and Voice Call Recorder to Section 3.
V 12.0 - October 16, 2014 - Updated Collaboration Environment, SM, SMGR and WebLM actions.
V 13.0 - October 25, 2014 - Updated one-X CES and Utility Services actions.
V 14.0 - October 30, 2014 - Updated IP Office Server Edition and IP Office Application Server actions.
V 15.0 - November 4, 2014 - Added ACE to Section 2 and updated Conferencing Standard Edition, Meeting Exchange and Proactive Contact actions.
V 16.0 - November 11, 2014 - Updated ACE affected versions and actions and Proactive Contact actions.
V 17.0 - February 10, 2015 - Updated Conferencing affected versions and actions and set the advisory status to Final.

Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.
Independent security researchers can contact Avaya at securityalerts@avaya.com.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

© 2014 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.