ICS Advisory

Bash Command Injection Vulnerability (Supplement)

Last Revised
Alert Code
ICSA-14-269-01 (Supplement)

OVERVIEW

This advisory supplement is to accompany the NCCIC/ICS-CERT advisory titled ICSA-14-269-01 Bash Command Injection Vulnerability and all following updates that were originally published September 26, 2014, on the ICS-CERT web site and posted to the US-CERT secure Portal library. Please refer to the original advisory for all the details of the vulnerability. The purpose of this advisory supplement is to document which products are affected by this vulnerability and suggest how users of these products may mitigate the effects of this vulnerability. This document will be updated as needed.

ICS-CERT thanks the following companies for responding to our inquiry for which of their products were or were not affected:

ABB, Advantech, Alstom, Azeotech, Cogent, Digi, Ecava, eWON, Fox-It, Honeywell, Inductive Automation, Eaton, Elecsys, Festo, Garrettcom, Hirschmann, Innominate, JPCERT, Meinberg, Moxa, Nordex, Ocean Data Systems, Omnimetrix, OPCSystems, OSIsoft, Phoenix Contact, Post Oak Traffic, Progea, Red Lion, Rockwell Automation, Schneider Electric, SEL, Sielco Sistemi, Siemens, Sierra Wireless, SUBNET Solutions, Tofino Security, Tridium, Trihedral, Vista Control, Weidmuller, and Wind River.

ICS-CERT encourages any asset owners/operators, developers, or vendors to coordinate known implementations of the affected products directly with ICS-CERT.

AFFECTED PRODUCTS

ABB products:

  • Directly affected: ABB Tropos 3000, 4000, 6000, & 7000 series routers
  • Indirectly affected: Ventyx NM EMS/SCADA on RHEL, Ventyx.

Please see ABB’s public notification and mitigation strategies at:

www.abb.com/cawp/abbzh254/2c9d1261d9fa1dcfc1257950002e4fbf.aspx

Cisco products:

Please see Cisco’s advisory for full list of affected products at:

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

Digi products:

  • Connectport LTS, Digi Passport, Digi CM.

Digi says that the vulnerability cannot be exploited remotely on these systems.

eWON products:

Please see eWON’s advisory for full list of affected products at:

www.talk2m.com/en/shellshock-vulnerability-ewon-and-talk2m-on-the-safe-side.html?cmp_id=7&news_id=54&vID=17.

Meinberg products:

  • LANTIME V4.x, V5.x and V6.x

Please see Meinberg’s public notification and mitigation strategies at:

http://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1403-gnu-bash-environmental-variable-command-injection-vulnerability.htm

Moxa products:

  • All Linux-based computers except EM1220-LX, EM1240-LX, UC7110-LX, UC7112-LX.

Moxa is currently investigating a solution.

Red Lion products:

  • Sixnet BT-5000 and 6000 Series
  • RAM 9000, RAM 6000, SN 6000 and M, A and R Series

These products use the bash shell but are not considered to be vulnerable or exploitable.

Siemens products:

  • ROX 1: All versions <= V1.16.0
  • ROX 2: All versions <= V2.5.0
  • APE Linux V1.0 with ELAN installed

Please refer to SSA-86096 for more details at Siemens’ web site:

www.siemens.com/cert/advisories

 

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Other

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.

Related Advisories