Avaya Desktop and Mobile Client Response to GNU Bash (shellshock) Vulnerabilities (CVE-2014-6271, CVE-2014-7169)

Original Release Date: October 3, 2014
Last Revised: October 3, 2014
Number: ASA-2014-384
Risk Level: None
Advisory Version: 1.0
Advisory Status: Final

1. Overview:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 to these issues.

Avaya desktop and mobile clients are software-only products operating on general-purpose operating systems. Occasionally vulnerabilities may be discovered in the underlying operating system or applications that come with the operating system. These vulnerabilities often do not impact the software-only product directly but may threaten the integrity of the underlying platform.

In the case of this advisory, Avaya desktop and mobile client products are not affected by the vulnerability directly but the underlying operating system platform may be. Customers should determine on which operating system the product was installed and then follow that vendor's guidance.

2. Avaya Desktop and Mobile Clients:

Product: Actions:
Avaya one-X® Communicator for Microsoft Windows Consult your operating system vendor for instructions for resolving this issue on Microsoft Windows.
Avaya one-X® Communicator for Mac OS X Consult your operating system vendor for instructions for resolving this issue on Mac OS X.
Avaya Flare® Experience for Microsoft Windows Consult your operating system vendor for instructions for resolving this issue on Microsoft Windows.
Avaya Communicator for Microsoft Windows Consult your operating system vendor for instructions for resolving this issue on Microsoft Windows.
Avaya Client Applications Consult your operating system vendor for instructions for resolving this issue on Microsoft Windows.
Avaya Client Applications for Lync and CS1K Consult your operating system vendor for instructions for resolving this issue on Microsoft Windows.
Avaya Client Applications for Lync Consult your operating system vendor for instructions for resolving this issue on Microsoft Windows.
Avaya Collaboration ServicesConsult your operating system vendor for instructions for resolving this issue on Microsoft Windows.
Avaya VDI Communicator (Windows) Consult your operating system vendor for instructions for resolving this issue on Microsoft Windows.
Avaya VDI Communicator (Linux) Consult your operating system vendor for instructions for resolving this issue on your version of Linux.
Avaya one-X® Mobile SIP for iOS Consult your device vendor for instructions for resolving this issue on your device.
Avaya one-X® Mobile SIP for iOS (CFE) Consult your device vendor for instructions for resolving this issue on your device.
Avaya one-X® Mobile CES for iPhone Consult your device vendor for instructions for resolving this issue on your device.
Avaya one-X® Mobile CES for Android Consult your device vendor for instructions for resolving this issue on your device.
Avaya one-X® Mobile Lite for iPhone Consult your device vendor for instructions for resolving this issue on your device.
Avaya one-X® Mobile Lite for Android Consult your device vendor for instructions for resolving this issue on your device.
Avaya Communicator for iPad Consult your device vendor for instructions for resolving this issue on your device.
Avaya Communicator for iPad (CFE) Consult your device vendor for instructions for resolving this issue on your device.
Avaya Communicator for Android Consult your device vendor for instructions for resolving this issue on your device.
Avaya one-X® Mobile Lite for Blackberry Consult your device vendor for instructions for resolving this issue on your device.

3. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

4. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

5. Revision History:

V 1.0 - October 3, 2014 - Initial Statement issued.

Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.
Independent security researchers can contact Avaya at securityalerts@avaya.com.

© 2014 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.