Shellshock BASH exploit — Vulnerable ?

 ** Edit,  9th October — Many EMC products now have patches available **

 

VNX Series1          VNX Series2          XtremIO          VNXe

–Get busy !


 

On the 24th September, a series of CVE (Common Vulnerabilities & Exposure) incidents were published and have gained significant publicity (and rightly so) due to their potential for catastrophic impact across many product using the BASH shell.

Read all about them here & here

It’s another serious exposure and won’t be long before it’s added to the metasploit libraries for the kiddies.

It’s well documented which commercial products are exploited but what about EMC, VMWare et al ?

The current engineering updates from both companies can be found below and for many products the investigation is continuing;

I have tested on a EMC unified VNX system and found it to be vulnerable, as expected per the document above;

26-09-2014 11-15-53 PM

On a (relatively) recent build of ESXi, this won’t be the case. Why ? ESXi uses the busybox platform which does not use BASH, rather ASH.

For S&G’s anyway;

27-09-2014 9-45-04 AM

So what’s the message ? As Johnny would say, be Alert but not Alarmed.  I don’t see this as a vector that the products in question would be commonly exposed to.

Watch your Vendors notifications pages and patch/mitigate as appropriate.

…….and don’t forget to check if the Internet is on fire

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: