Symptom - On 25-SEP-2014, the GNU Bourne Again Shell (Bash) Vulnerability, also called the "Shellshock" Vulnerability (CVE-2014-6271 and CVE-2014-7169) was detected and published by several Cyber Security outlets
Effect - An attacker may remotely execute shell commands by attaching malicious code in environment variables used by the operating system
Overview (via US-CERT)
A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.
Schneider Electrics' Data Center Business has conducted a vulnerability assessment on the following platforms and found the status of the current shipping versions as follows:
Data Center Operations (DCO) v7.4.0 is operating a version of BASH which is affected. A patch for this vulnerability is available now at DCIM Support (link) and in the released version v7.4.1.
Resolution: DCIM Support (link) and in the released version v7.4.1.
Data Center Expert (DCE) v7.2.4 is currently operating a version of BASH which is affected. All earlier versions are also affected. A patch for this vulnerability is currently available in v7.2.5. Please contact your local APC Technical Support for the updated version.
NetBotz Appliances do not utilize BASH and is therefore not affected.
All Network Management Card (NMC) Applications do not utilize BASH and are therefore not affected.
All versions of ISX Manager (ISXM) utilize a version of BASH which is affected. As this product is termed End Of Life, no updates will be made available for this platform.
APC Digital IP KVM Switches (KVM1116P, KVM2116P, KVM2132P) do not utilize BASH and therefore are not affected.
MGE Network Management Cards do not utilize BASH and therefore are not affected.
MGE Network Shutdown Module does not utilize BASH and therefore is not affected.
Cyber Security is an important element of Schneider Electrics' commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered.