News from 2014-10-01
Meinberg Security Advisory: [MBGSA-1403] GNU Bash Environmental Variable Command Injection Vulnerability
CVE-IDs:
CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169
1. Description of the Problem
The GNU BASH commandline shell used by Meinberg for their LANTIME network appliance firmware has been found to be affected by several security vulnerabilites. These vulnerabilities allow an attacker to run arbitrary shell commands by crafting a dedicated environment variable or function. The shell access on Meinberg LANTIME systems is restricted to superuser access level accounts and those have full access already, therefore the practical use is very low for a potential attacker.Exploiting one of the vulnerabilities by using a CGI of the LANTIME web interface requires valid login credentials as well and any injected command would be executed with reduced access rights, limiting the potential damage that can be caused by abusing one of the vulnerabilities.
2. Affected Systems
All LANTIME Firmware Versions starting with V4.x are affected by this problem.
3. Potential Defense Strategies
An update to the latest firmware version is highly recommended to be protected against this threat.
Please request a download link for a firmware update by using our firmware request web page:
Firmware Updates for LANTIME Products including SyncFire
You need to provide the serial number of your LANTIME device in order to request a firmware update download link.
The following updates are currently available:
V4.x Update to V4.60
V5.x Update to V5.34p
V6.00.x - V6.14.x Update to V6.14.023
V6.15.x - V6.16.x Update to V6.16.002
If your systems are running a different firmware version, you can either update to one of the above listed versions or contact your Meinberg Technical Support Team for further assistance.
4. Additional Information Sources
More details about this vulnerability can be found on the following web sites:
https://ics-cert.us-cert.gov/advisories/ICSA-14-269-01
(ICS-CERT Advisory)
https://www.us-cert.gov/ncas/alerts/TA14-268A
(US CERT Alert)