Avaya Networking Products response to GNU Bash (Shellshock) vulnerabilities (RHSA-2014-1293, RHSA-2014-1294, RHSA-2014-1306, RHSA-2014-1311)

Original Release Date: September 30, 2014
Last Revised: January 20, 2015
Number: ASA-2014-367
Risk Level: High
Advisory Version: 4.0
Advisory Status: Final

1. Overview:

The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux.

A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-6271 to this issue.

It was also found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 to these issues.

More information about these vulnerabilities can be found in the security advisory issued by Red Hat:

2. Avaya Networking Products using a modified version of RHEL 5 with affected packages installed:

Product: Affected Version(s): Risk Level: Actions:
Configuration and Orchestration Manager (COM) All High Install the security patches as described in theAvaya support site for this product.
Configuration and Orchestration Manager (COM-VPS) COM 3.1, VPS 1.1 High Install the security patches as described in the Avaya support site for this product.
Virtualization Provisioning Service (VPS) All High Install the security patches as described in the Avaya support site for this product.
IP Flow Manager (IPFM) All High Install the security patches as described in the Avaya's support site for this product.
Visualization Fault and Performance Manager (VPFM) All High Install the security patches as described in the Avaya's support site for this product.
Pod Orchestration Suite All High Install the security patches as described in the Avaya's support site.
For other Avaya products that may come installed in a C-Pod but are not listed in this ASA, install the security patches as described in the Shellshock/Bash Security Bug Product Patch status document.
Identity Engines Ignition Server 9.0 Low Upgrade to 9.0.2 or later as described in the Avaya support site for this product.
Collaboration Pod on VMware vCenter Server Appliance 5.x 2.0 High 1. Download the VCSA 5.1 U2c iso file (VMware-vCenter-Server-Appliance-5.1.0.20300-2212990-updaterepo.iso) from VMware support site.
2. Upload the iso file on the Application datastore on the CPOD and mount that file to the vCenter VM.
    (Right click the VM, Edit Settings and point the CD/DVD drive to the previous copied Datastore ISO file. Make sure the "Connected" check-box is checked).
3. Follow the steps in this VMware documentation to update the vCenter. A reboot of the VM will be needed at the end; "unmount" the iso file from the VCSA (undo the settings at point 2).
Collaboration Pod Secure Remote Access (SRA) 1.0.1.1 on C-Pod 2.0 Low Upgrade to SRA 2.0.1.0 or later.
Wireless LAN 9100 WOS with AOS 7.0.5 High Install WLAN 9220 series v7.0.7, 7.0.x as described in the Avaya Support Site.

Recommended Actions for System Products:
Avaya strongly recommends following networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but the System Product operating system or application should not be modified unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract.

Mitigating Factors:

When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products:

Vulnerability Mitigating Factors
CVE-2014-6271
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
The risk is rated Low for Identity Engines Ignition Server and Secure Remote Access because the exploit requires a local, special user account that is disabled by default.
The risk is rated High for all other products because exploiting this vulnerability could bypass security restrictions and allow shell commands to be executed.

3. Avaya Networking Products not impacted by Shellshock vulnerability:

Product: Version(s): Risk Level: Actions:
ERS family All None None
VSP7024 All None None
VSP family All None None
VPN Gateway All None None
VPN Router family All None None
Secure Router family All None None
Collaboration Pod PDU All None None
Collaboration Pod ESXi hosts All None None
Collaboration Pod Media Gateway G450 All None None

Mitigating Factors:

When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya products:

Vulnerability Mitigating Factors
CVE-2014-6271
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
The risk is rated None for all products because bash is not installed or enabled by default.

4. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

5. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

6. Revision History:

V 1.0 - September 30, 2014 - Initial Statement issued.
V 2.0 - October 2, 2014 - Updated Identity Engines Ignition Server versions, actions and mitigating factors.
V 3.0 - October 13, 2014 - Added Section 3 for Networking products that are not impacted by Shellshock vulnerability.
V 4.0 - January 20, 2015 - In Section 2, Updated Actions column, added Collaboration Pod SRA product, removed Wireless LAN 8100 that is not supported and set the advisory status to Final.

Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.
Independent security researchers can contact Avaya at securityalerts@avaya.com.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

© 2014 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.