“Shellshock” - Bash Bug Vulnerability Alert

“Shellshock” - Bash Bug Vulnerability Alert


The Official Dell Corporate Blog

“Shellshock” - Bash Bug Vulnerability Alert

UPDATE 2: New Shellshock vulnerabilities have been reported as described on the Shellshock Wikipedia page. Dell is actively investigating, across our entire product base, the extent to which all of these vulnerabilities the CVE-2014-6271, a publicly disclosed vulnerability in the Bash command line interpreter, might be present and will be disclosing and remediating any issues as quickly as possible. UPDATE 1: You can check for a particular product or application’s status on this remediation page

Bash is the most widely-used shell on Linux-based systems and is also the default shell in Mac OS X Panther (version 10.3) and later Mac OS versions. Vulnerable Bash versions continue to parse commands even after a function definition, which is defined by the '() {' characters.  An attacker may use an arbitrary command to disclose sensitive system information, or to write files elsewhere on the server's file system (similar to a file upload vulnerability).

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary commands in the context of the vulnerable HTTP CGI server. Used in conjunction with other attacks, an attacker may be able to completely compromise a system.

Dell recommends that clients using Linux and Mac OS X systems determine if their version of Bash is vulnerable, and immediately apply the security update to vulnerable systems. As of this publication, most major Linux distributions have released an update that may be applied using the distribution's package manager system. Windows-only environments that do not use Bash are not vulnerable to this exploit.

Dell has a long-standing commitment to design, build and ship secure products and quickly address instances when issues are discovered. Our highest priority is the protection of customer data and information. We take very seriously any issues that may impact the integrity of our products or customer security and privacy. We will continue to communicate with our customers in a transparent manner.

UPDATE 3: For information on these vulnerabilities this vulnerability see CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187 on the NIST website.


To post a comment login or create an account

Comment Reminder

Unrelated comments or requests for service will be unpublished. Please post your technical questions in the Support Forums or for direct assistance contact Dell Customer Service or Dell Technical Support.. All comments must adhere to the Dell Community Terms of Use.

  • Is the latest version of iDRAC vulnerable to the GNU Bash shell (aka “ShellShock”) vulnerabilities CVE-2014-6271 and CVE-2014-7169, reported on the NIST National Vulnerability Database on 9/24/2014?

    AFAIK iDRAC is *nix based, runs Apache and listens on SSH, so in case it uses this shell I assume it is affected? If so, what will be the ETA for a patch version?

  • @nmbrolf - Our teams are still actively investigating this issue and will be updating this remediation page frequently: www.dell.com/.../shellshock-remediation. Please check there for all the latest. ~LPT

  • One week later and we still don't know if our DRAC cards are vulnerable.

  • We have 9 EqualLogic PS series arrays and need information on the Shellshock Bash Bug status.  Have been following the remediation web page every day, saw that the EQLX Hit Kit software was added last week. , but nothing on the arrays.  Our corporate security team wants status, it is October 6th now and we don't have answers for them.  Please give us an ETA on our PS Series array firmware.

  • RE: iDRAC vulnerability questions: the Dell Shellshock remediation page lists iDRAC 7 & 8 as not affected by this vulnerability.

  • @danfox - thanks for the assist.  Also, DRAC5 and iDRAC6 are not affected either.  

    Note to all DRAC users -- my apologies for the wating period and the time it took for us to post a reply.  We had teams globally going through various versions of DRAC code to test any/all possible routes.   We needed to be 100% certain we were not vulnerable before posting.   We appreciate your patience.  

    Doug Iler - iDRAC Product Manager

  • I do not see any updates for our Wyse Z50D thin clients nor our WDM server.  Will these updates be posted soon?

  • @v8bait - I'm told more updates have just been added to the remediation page, and additional ones are soon on the way. Our team will continue to update it as soon as new information is available. ~LPT