The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux.
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-6271 to this issue.
It was also found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 to these issues.
More information about these vulnerabilities can be found in the security advisories issued by Red Hat and CentOS:
Avaya services support tools are software-only tools that can be deployed as standalone applications, or as part of an OVA (VMware virtual machine file), or embedded in the System Platform (Services VM). They operate on general-purpose operating systems like Redhat and CentOS. In the case of OVA and Services VM, bash is included as part of the underlying OS. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only tool directly but may threaten the integrity of the underlying platform. In the case of this advisory, Avaya developed Services Support Tools are not affected by the vulnerability directly, but the underlying Linux platform may be affected. Customers should determine on which Linux operating system the tool was installed and then follow that vendor's guidance.
| Services Support Tools: | Actions: |
|---|---|
| Secure Access Link (SAL) GW 1.x, 2.x | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698 |
| Avaya Diagnostic Server (ADS) 1.x, 2.x | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698 |
| Secure Access Remote Access Concentrator 5.x, 6.x | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698 |
| Secure Access Core Concentrator 5.x, 6.x | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698 |
| Secure Access Link GAS 5.x, 6.x | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698 |
| Secure Access Link Policy Server 1.5 | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698 |
| Services VM 1.x | Avaya has the required privileges on this version. Avaya has an update for
Services VM 1.0 Patch for Shellshock vulnerability and for customer to own
privileges. The patch is at:
https://plds.avaya.com/poeticWeb/avayaLogin.jsp?ENTRY_URL=/esd/viewDownload.htm&DOWNLOAD_PUB_ID=SALSVM00003
The release notes are at: https://downloads.avaya.com/css/P8/documents/101004851 |
| Services VM 2.x, 3.x | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698 |
| SAL GW virtual app 1.x | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698 |
| ADS virtual app 2.x | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698 |
| EXPERT® All | Avaya is taking recommended action. Avaya has identified the Operating System installed and the affected package may be installed on the underlying Operating System. Avaya is or has patched internally. |
| Diagnostics and Tools All | Avaya is taking recommended action. Avaya has identified that some Diagnostics and Tools do use bash on the underlying Operating System installed, and the affected package may be installed on the underlying Operating System. Avaya is or has patched internally, as required. |
| SSG v5 | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698. As a convenience to customers, Avaya has hosted the bash rpm file to remediate the shell shock vulnerability for SSG v5 at ADSSSPT0020. ADSSSPT0020 can be found at https://plds.avaya.com/poeticWeb/avayaLogin.jsp?ENTRY_URL=/esd/viewDownload.htm&DOWNLOAD_PUB_ID=ADSSSPT0020. |
| SAL GW 1.8 on System Platform 6.0 and 6.0.3.x | This version of SAL GW was a pre-SVM (CDOM) deployment available in System Platform releases. Install the security update as described in PSN027007u for System Platform 6.0 or 6.0.3.x. |
| ION API Technologies Corp SA5600-SAL All | Please refer to ION API Technologies Corp’s advisory at http://www.apitech.com/ion/resources-shellshock for ION API Technologies Corp’s recommended actions. |
| ION ASG Defender All | Please refer to ION API Technologies Corp’s advisory at: http://www.apitech.com/ion/resources-shellshock for ION API Technologies Corp’s recommended actions. |
| SAL GW on AIM Common Server | Depending on the Operating System installed, the affected package may be installed on the underlying Operating System. Follow Recommended Actions for Avaya Services Support Tools below. Install the security update as described in KB article SOLN259698. As a convenience to customers, Avaya has hosted the bash rpm file to remediate the shell shock vulnerability for AIM Common Server configurations at ADSSSPT0020. ADSSSPT0020 can be found at https://plds.avaya.com/poeticWeb/avayaLogin.jsp?ENTRY_URL=/esd/viewDownload.htm&DOWNLOAD_PUB_ID=ADSSSPT0020. |
Recommended Actions for Avaya Services Support Tools:
Customers should determine on which Linux operating system the software was
installed and then follow that vendor's guidance. In the event that the affected
package is installed, the actions recommended by Red Hat regarding their
Enterprise Linux may be followed. In the case of OVA deployments, CentOS action recommendations may be followed. In the case
of SVM 1.x follow the action above.
When determining risk, Avaya takes into account many factors as outlined by Avaya's Security Vulnerability Classification Policy. The following table describes factors that mitigate the risk of specific vulnerabilities for affected Avaya Services Support Tools:
| Vulnerability | Mitigating Factors |
|---|---|
|
CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 |
Customers should follow the recommendation provided by the OS vendor appropriate to the Avaya Services Support Tools. Customers may apply RHEL patches to their SAL GW, as long as they stay within the guidance in the SAL GW implementation guide for their version of SAL GW. SAL and ADS software does not generally execute the BASH directly, so risk is comparatively low additional risk for those scenarios from an application point of view. In cases where it does execute BASH, it doesn't execute the BASH with any user provided input which would require attackers to already have privileges to subvert additional parts of the system it runs on. In the case of the Secure Access Remote Access Concentrator, Secure Access Link Policy Server, and Secure Access link GAS, the affected package may be installed on the underlying Operating System. For some EXPERT® and Diagnostics and Tools, the affected package may be installed and used on the underlying Operating System. Avaya is taking action. For SSG, the affected package may be installed on the underlying Operating System. However, in all cases, the entire system could be at risk and the OS vendor guidance should be followed, nonetheless. |
Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION, IS PROVIDED "AS IS", AND IS APPLICABLE ONLY TO PRODUCT VERSIONS ELIGIBLE FOR MANUFACTURER SUPPORT IN ACCORDANCE WITH AVAYA PRODUCT LIFE CYCLE POLICY. AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.
V 1.0 - October 1, 2014 - Initial Statement issued.
V 2.0 - October 2, 2014 - Added Expert® and Diagnostics and Tools to
Section 2 and updated the mitigating factors table.
V 3.0 - October 6, 2014 - Added SSG to Section 2 and updated the mitigating
factors table.
V 4.0 - October 8, 2014 - Added SAL GW 1.8 on System Platform and ION
appliance to Section 2.
V 5.0 October 10, 2014 - Clarifying editorial changes to Section 2.
V 6.0 October 16, 2014 - Added ION ASG Defender and Clarified SSG version in
section 2.
V 7.0 December 19, 2014 - Add links with more information. Update for SVM v1.x.
V 8.0 January 7, 2015 - Updated SOLN259698.
V 9.0 March 9, 2015 - Updated ADSSSPT0020 references. Added AIM Common Server
SAL configuration.
Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.
Independent security researchers can contact Avaya at
securityalerts@avaya.com.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
© 2014 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.