Who could have thought that something worse comes up after “Heartbleed”? Well, at least by some accounts, the “bash bug”, officially CVE-2014-6271 and its follow-up bug CVE-2014-7169 and two further bugs, or as others call it, “ShellShock” or “Bashdoor” could be worse than Heartbleed. The module in question, bash (“Bourne Again SHell”), is a command interpreter, i.e. a system component, of most Linux- and UNIX-Systems, and also Apple Mac OS X. Bash is also present in NoTouch OS and Stratodesk Virtual Appliance and so attention from Stratodesk customers is required but there is no need to panic. This article was updated on September 28th to contain most recent updates.
Please update Stratodesk Virtual Appliance as soon as possible. As the system is based on Ubuntu server builds with LTS (Long-Term Support), updates are ready. Especially Stratodesk VA version 1.0-65 makes applying such updates really easy from the web console, users of older VA versions should go to the command line and not rely on the automated mechanism. Please review the full documentation on updating the Virtual Appliance. The new OVA file with 20140928 is already patched.
NoTouch OS has the vulnerable version of bash, but does not seem to be vulnerable. NoTouch OS has bash, but the system services including the DHCP client do not use it, they use a different shell product that is not affected. Thus, we currently do not see a possibility for injecting malicious environment variables into a NoTouch machine, neither from the LAN nor from the local system. To fully mitigate the vulnerability, we have made NoTouch OS 2.39.21 available for our customers, an update to the “Mineral King” product generation that has the patched version of bash. This version also has Firefox 32.0.3 that fixes an unrelated certificate check problem.
NoTouch Center is not affected. It is a software application written in Java. It does not interact with bash and is not vulnerable.
2014-09-28 Update. The original version of this article mentioned 2.39.18 that fixed the two original bash vulnerabilities. In the meantime 2.39.21 is out and this one also fixes CVE-2014-7186, CVE-2014-7187 and includes the “use prefixes and suffixes for function exports” security improvement.