Security Advisory
Security Advisory: GNU Bash
ShellShock Remote Code Execution
September 28, 2014
This document details the status of Radware products in regard to the CVE-2014-6271 and
CVE-2014-7169
Radware will continue to investigate the vulnerabilities implications on Radware’s products and
will issue updates and mitigation plans when needed.
CVE Overview
CVE-2014-6271
GNU Bash through 4.3 processes trailing strings after function definitions in the values of
environment variables, which allows remote attackers to execute arbitrary code via a crafted
environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH
sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by
unspecified DHCP clients, and other situations in which setting the environment occurs across a
privilege boundary from Bash execution, aka "ShellShock."
CVE-2014-7169
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function
definitions in the values of environment variables, which allows remote attackers to write to files
or possibly have unknown other impact via a crafted environment, as demonstrated by vectors
involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in
the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in
which setting the environment occurs across a privilege boundary from Bash execution
Impact
A malicious user can exploit this vulnerability to cause remote code execution on a vulnerable
system
Summary of Radware Product Exposure to CVEs
The following table summarizes Radware’s products and their exposures to these CVE
vulnerabilities:
Security Advisory: GNU Bash ShellShock Remote Code Execution:, September 28, 2014 Page 2
Product
CVEs Exposure
Comments
Alteon
None
Alteon isn’t vulnerable from traffic or
management interfaces
Alteon VA
Yes
Fixed version will be available on October
12th
AppDirector
None
AppDirector isn’t Linux based therefore isn’t
vulnerable (there is internal functionality in
AppDirector which is Linux based and is
used for internal process which isn’t public
therefore also isn’t vulnerable)
DefensePro
None
No Bash commands are executed from user
inputs on management interface
On Data traffic no relevant interface is
exposed, therefore not vulnerable.
AppWall
None
AppWall isn’t vulnerable on both traffic and
management interfaces.
LinkProof
None
LinkProof isn’t Linux based therefore isn’t
vulnerable
AppXcel
None
No Bash access is available from traffic or
management interfaces
CID
None
CID isn’t Linux based therefore isn’t
vulnerable
FastView
None
No Bash access is available from traffic
interface
APSolute Vision
Yes
The risk of exploiting the vulnerability is
limited as long as the APSolute Vision
appliance is not accessible from the external
network. A fix will be provided shortly
SharePath APM
Server
Yes
The risk of exploiting the vulnerability is
limited as long as the SSH and Telnet
access to SharePath virtual appliance from
the external network is restricted. A fix will be
provided shortly
Security Advisory: GNU Bash ShellShock Remote Code Execution:, September 28, 2014 Page 3
Product
CVEs Exposure
Comments
inflight
Yes
The risk of exploiting the vulnerability is
limited as long as the SSH and Telnet
access to Inflight appliance from the external
network is restricted. A fix will be provided
shortly
Mitigation Plan
DefensePro
Radware Emergency Response Team (ERT) has produced two IPS signatures for the
vulnerabilities. More information is available in the link below
http://www.radware.com/NewsEvents/PressReleases/Shellshock-Vulnerability/
AppWall
AppWall can provide a security to web application using a filter that detect a risky pattern used
to attack web servers found in these vulnerabilities. The filter will detect pattern “() {“used to
initiate attack and will drop this traffic.
Further information will be provided.
Alteon VA
A fix for Alteon VA will be available on October 12th on the following software versions:
30.0.1.0
29.5.1.10
29.0.3.10
28.1.13.10
Security Advisory: GNU Bash ShellShock Remote Code Execution:, September 28, 2014 Page 4
Document version
Date
Issued By
1.0
September 26, 2014
Ami Barayev
1.01
September 26, 2014
Ami Barayev
Added inflight and
APSolute Vision and
SharePath APM
Server mitigation
were added
1.02
September 28, 2014
Ami Barayev
Fix date for Alteon
VA
North America
International
Radware Inc.
Radware Ltd.
575 Corporate Drive
22 Raoul Wallenberg St.
Mahwah, NJ 07430
Tel Aviv 69710, Israel
Tel: +1-888-234-5763
Tel: 972 3 766 8666
Main Changes
© 2014 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered
trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective
owners. Printed in the U.S.A
Security Advisory: GNU Bash ShellShock Remote Code Execution:, September 28, 2014 Page 5
© Copyright 2024 ExpyDoc
