skip to Main Content

ShellShock: The bash vulnerability

Who could have thought that something worse comes up after “Heartbleed”? Well, at least by some accounts, the “bash bug”, officially CVE-2014-6271 and its follow-up bug CVE-2014-7169 and two further bugs, or as others call it, “ShellShock” or “Bashdoor” could be worse than Heartbleed. The module in question, bash (“Bourne Again SHell”), is a command interpreter, i.e. a system component, of most Linux- and UNIX-Systems, and also Apple Mac OS X. Bash is also present in NoTouch OS and Stratodesk Virtual Appliance and so attention from Stratodesk customers is required but there is no need to panic. This article was updated on September 28th to contain most recent updates.

Please update Stratodesk Virtual Appliance as soon as possible. As the system is based on Ubuntu server builds with LTS (Long-Term Support), updates are ready. Especially Stratodesk VA version 1.0-65 makes applying such updates really easy from the web console, users of older VA versions should go to the command line and not rely on the automated mechanism. Please review the full documentation on updating the Virtual Appliance. The new OVA file with 20140928 is already patched.

NoTouch OS has the vulnerable version of bash, but does not seem to be vulnerable. NoTouch OS has bash, but the system services including the DHCP client do not use it, they use a different shell product that is not affected. Thus, we currently do not see a possibility for injecting malicious environment variables into a NoTouch machine, neither from the LAN nor from the local system. To fully mitigate the vulnerability, we have made NoTouch OS 2.39.21 available for our customers, an update to the “Mineral King” product generation that has the patched version of bash. This version also has Firefox 32.0.3 that fixes an unrelated certificate check problem.

NoTouch Center is not affected. It is a software application written in Java. It does not interact with bash and is not vulnerable.

2014-09-28 Update. The original version of this article mentioned 2.39.18 that fixed the two original bash vulnerabilities. In the meantime 2.39.21 is out and this one also fixes CVE-2014-7186, CVE-2014-7187 and includes the “use prefixes and suffixes for function exports” security improvement.

References:

ShellShock: The bash vulnerability

Who could have thought that something worse comes up after “Heartbleed”? Well, at least by some accounts, the “bash bug”, officially CVE-2014-6271 and its follow-up bug CVE-2014-7169 and two further bugs, or as others call it, “ShellShock” or “Bashdoor” could be worse than Heartbleed. The module in question, bash (“Bourne Again SHell”), is a command interpreter, i.e. a system component, of most Linux- and UNIX-Systems, and also Apple Mac OS X. Bash is also present in NoTouch OS and Stratodesk Virtual Appliance and so attention from Stratodesk customers is required but there is no need to panic. This article was updated on September 28th to contain most recent updates.

Please update Stratodesk Virtual Appliance as soon as possible. As the system is based on Ubuntu server builds with LTS (Long-Term Support), updates are ready. Especially Stratodesk VA version 1.0-65 makes applying such updates really easy from the web console, users of older VA versions should go to the command line and not rely on the automated mechanism. Please review the full documentation on updating the Virtual Appliance. The new OVA file with 20140928 is already patched.

NoTouch OS has the vulnerable version of bash, but does not seem to be vulnerable. NoTouch OS has bash, but the system services including the DHCP client do not use it, they use a different shell product that is not affected. Thus, we currently do not see a possibility for injecting malicious environment variables into a NoTouch machine, neither from the LAN nor from the local system. To fully mitigate the vulnerability, we have made NoTouch OS 2.39.21 available for our customers, an update to the “Mineral King” product generation that has the patched version of bash. This version also has Firefox 32.0.3 that fixes an unrelated certificate check problem.

NoTouch Center is not affected. It is a software application written in Java. It does not interact with bash and is not vulnerable.

2014-09-28 Update. The original version of this article mentioned 2.39.18 that fixed the two original bash vulnerabilities. In the meantime 2.39.21 is out and this one also fixes CVE-2014-7186, CVE-2014-7187 and includes the “use prefixes and suffixes for function exports” security improvement.

References:

Stratodesk and deviceTRUST Announce Their Collaboration Delivering the Most Secure Endpoint Environment

deviceTRUST and NoTouch OS ease the path for customers on their zero-trust security journey San…

Read more
Stratodesk and deviceTRUST Better Together

Authored by: Adam Cook and Sven Jansen Stratodesk and deviceTRUST have partnered together to bring…

Read more
Stratodesk Provides Real Value for the Channels – An Interview with Paul Austin, Stratodesk’s New VP of Global Channels

Stratodesk is delighted to welcome Paul Austin to Stratodesk as the new VP of Global…

Read more

Subscribe to our newsletter:

Back To Top