Advisory (ICSA-14-269-01 (Supplement))
Bash Command Injection Vulnerability (Supplement)
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This advisory supplement is to accompany the NCCIC/ICS-CERT advisory titled ICSA-14-269-01 Bash Command Injection Vulnerability and all following updates that were originally published September 26, 2014, on the ICS-CERT web site and posted to the US-CERT secure Portal library. Please refer to the original advisory for all the details of the vulnerability. The purpose of this advisory supplement is to document which products are affected by this vulnerability and suggest how users of these products may mitigate the effects of this vulnerability. This document will be updated as needed.
ICS-CERT thanks the following companies for responding to our inquiry for which of their products were or were not affected:
ABB, Advantech, Alstom, Azeotech, Cogent, Digi, Ecava, eWON, Fox-It, Honeywell, Inductive Automation, Eaton, Elecsys, Festo, Garrettcom, Hirschmann, Innominate, JPCERT, Meinberg, Moxa, Nordex, Ocean Data Systems, Omnimetrix, OPCSystems, OSIsoft, Phoenix Contact, Post Oak Traffic, Progea, Red Lion, Rockwell Automation, Schneider Electric, SEL, Sielco Sistemi, Siemens, Sierra Wireless, SUBNET Solutions, Tofino Security, Tridium, Trihedral, Vista Control, Weidmuller, and Wind River.
ICS-CERT encourages any asset owners/operators, developers, or vendors to coordinate known implementations of the affected products directly with ICS-CERT.
- Directly affected: ABB Tropos 3000, 4000, 6000, & 7000 series routers
- Indirectly affected: Ventyx NM EMS/SCADA on RHEL, Ventyx.
Please see ABB’s public notification and mitigation strategies at:
Please see Cisco’s advisory for full list of affected products at:
- Connectport LTS, Digi Passport, Digi CM.
Digi says that the vulnerability cannot be exploited remotely on these systems.
Please see eWON’s advisory for full list of affected products at:
- LANTIME V4.x, V5.x and V6.x
Please see Meinberg’s public notification and mitigation strategies at:
- All Linux-based computers except EM1220-LX, EM1240-LX, UC7110-LX, UC7112-LX.
Moxa is currently investigating a solution.
Red Lion products:
- Sixnet BT-5000 and 6000 Series
- RAM 9000, RAM 6000, SN 6000 and M, A and R Series
These products use the bash shell but are not considered to be vulnerable or exploitable.
- ROX 1: All versions <= V1.16.0
- ROX 2: All versions <= V2.5.0
- APE Linux V1.0 with ELAN installed
Please refer to SSA-86096 for more details at Siemens’ web site:
For any questions related to this report, please contact ICS-CERT at:
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900
For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov
ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.