U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.

Advisory (ICSA-14-269-01 (Supplement))

Bash Command Injection Vulnerability (Supplement)

Original release date: October 15, 2014 | Last revised: November 12, 2014

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



OVERVIEW

This advisory supplement is to accompany the NCCIC/ICS-CERT advisory titled ICSA-14-269-01 Bash Command Injection Vulnerability and all following updates that were originally published September 26, 2014, on the ICS-CERT web site and posted to the US-CERT secure Portal library. Please refer to the original advisory for all the details of the vulnerability. The purpose of this advisory supplement is to document which products are affected by this vulnerability and suggest how users of these products may mitigate the effects of this vulnerability. This document will be updated as needed.

ICS-CERT thanks the following companies for responding to our inquiry for which of their products were or were not affected:

ABB, Advantech, Alstom, Azeotech, Cogent, Digi, Ecava, eWON, Fox-It, Honeywell, Inductive Automation, Eaton, Elecsys, Festo, Garrettcom, Hirschmann, Innominate, JPCERT, Meinberg, Moxa, Nordex, Ocean Data Systems, Omnimetrix, OPCSystems, OSIsoft, Phoenix Contact, Post Oak Traffic, Progea, Red Lion, Rockwell Automation, Schneider Electric, SEL, Sielco Sistemi, Siemens, Sierra Wireless, SUBNET Solutions, Tofino Security, Tridium, Trihedral, Vista Control, Weidmuller, and Wind River.

ICS-CERT encourages any asset owners/operators, developers, or vendors to coordinate known implementations of the affected products directly with ICS-CERT.

AFFECTED PRODUCTS

ABB products:

  • Directly affected: ABB Tropos 3000, 4000, 6000, & 7000 series routers
  • Indirectly affected: Ventyx NM EMS/SCADA on RHEL, Ventyx.

Please see ABB’s public notification and mitigation strategies at:

www.abb.com/cawp/abbzh254/2c9d1261d9fa1dcfc1257950002e4fbf.aspx

Cisco products:

Please see Cisco’s advisory for full list of affected products at:

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

Digi products:

  • Connectport LTS, Digi Passport, Digi CM.

Digi says that the vulnerability cannot be exploited remotely on these systems.

eWON products:

Please see eWON’s advisory for full list of affected products at:

www.talk2m.com/en/shellshock-vulnerability-ewon-and-talk2m-on-the-safe-side.html?cmp_id=7&news_id=54&vID=17.

Meinberg products:

  • LANTIME V4.x, V5.x and V6.x

Please see Meinberg’s public notification and mitigation strategies at:

http://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1403-gnu-bash-environmental-variable-command-injection-vulnerability.htm

Moxa products:

  • All Linux-based computers except EM1220-LX, EM1240-LX, UC7110-LX, UC7112-LX.

Moxa is currently investigating a solution.

Red Lion products:

  • Sixnet BT-5000 and 6000 Series
  • RAM 9000, RAM 6000, SN 6000 and M, A and R Series

These products use the bash shell but are not considered to be vulnerable or exploitable.

Siemens products:

  • ROX 1: All versions <= V1.16.0
  • ROX 2: All versions <= V2.5.0
  • APE Linux V1.0 with ELAN installed

Please refer to SSA-86096 for more details at Siemens’ web site:

www.siemens.com/cert/advisories


Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top