Cisco, Oracle find dozens of their products affected by Shellshock

Cisco Systems and Oracle are hard at work identifying networking and other products in their portfolios that are affected by the critical Shellshock vulnerability.

The Shellshock vulnerability and several related ones found over the past week stem from errors in how the Bash command-line interpreter for Unix and Linux systems parses strings passed to it by external scripts. The flaws allow attackers to trick certain processes running on vulnerable machines to pass malicious strings to Bash that would then get executed as commands on the underlying OS.

Security researcher Rob Fuller has put together a collection of Shellshock proof-of-concept exploits gathered from various sources. The most well-known attack vectors are through Web servers that run CGI scripts and through SSH (Secure Shell) daemons, although other applications that interact with Bash are also potential targets.

Cisco has identified 71 products so far that are exposed to the vulnerability. These products serve various purposes, including network application, service and acceleration; network content and security; network management and provisioning; routing and switching; unified computing; voice and unified communications; video, streaming, TelePresence and transcoding.

The number of Cisco products vulnerable to Shellshock and related bugs far exceeds the 38 confirmed not to be vulnerable. The company is reviewing an additional 168 products and hosted services, so the list of vulnerable products is likely to increase.

“The impact of this vulnerability on Cisco products may vary depending on the affected product because some attack vectors such as SSH, require successful authentication to be exploited and may not result in any additional privileges granted to the user,” Cisco said in its advisory.

Oracle is also in the process of identifying which of its products are vulnerable. So far the company has released Shellshock patches for nine products: Oracle Database Appliance 12.1.2 and 2.X; Oracle Exadata Storage Server Software; Oracle Exalogic; Oracle Exalytics; Oracle Linux 4, 5, 6 and 7; Oracle Solaris Operating System 8, 9, 10 and 11; Oracle SuperCluster; Oracle Virtual Compute Appliance Software and Oracle VM 2.2, 3.2 and 3.3.

An additional 42 products use Bash in at least one of their versions and are likely to be vulnerable to Shellshock, Oracle has found. No patches are currently available for those products. Four other products are currently being investigated to determine if they’re using vulnerable Bash versions.

“Oracle has not assessed the impact of this vulnerability against products that are no longer supported by Oracle,” the company said in its advisory.

Other vendors with products built on top of Linux, whether those are hardware appliances, SCADA platforms, specialized servers or embedded devices, are likely to release Shellshock patches in the near future.

The overall impact of the Shellshock vulnerability and the related Bash bugs is hard to quantify given the ubiquitous nature of this basic component in the Unix and Linux world and the fact that all Bash versions going back to 1993 are likely vulnerable. The multiple attack vectors only add to the complexity of determining which systems are at risk.