Preview Tool

Cisco Bug: CSCur02195 - ACE evaluation for CVE-2014-6271 and CVE-2014-7169

Last Modified

Sep 11, 2019

Products (1)

  • Cisco ACE 4700 Series Application Control Engine Appliances

Known Affected Releases

3.0(0)A5(3.0) 3.0(0)A5(3.1) 7.2(0.1)VB(0.1)

Description (partial)

The ACE 4710 and ACE30 include a version of bash that is affected by the vulnerabilities
identified by the Common Vulnerability and Exposures (CVE) IDs:


This bug has been opened to address the potential impact on this product.

ACE30 module and ACE4710 appliance running A5(3.x) and prior have been tested and each found to have vulnerability to one attack vector. 

For the ACE30 module and ACE4710 appliance Cisco is providing a short term hot patch (DPLUG) now with a full correction a maintenance release at a later date. The DPLUGs are named ACE4710_A5x_bash_security_fix.bin and ACE30_A5x_bash_security_fix.bin and will work with any A5(x) release.

Understand that attack works only by the vector of accessing the management interface on the ACE via ssh using a pre-existing valid login credential (with any level of access rights). Testing via VIP thru ssh/HTTP/HTTPs load balancing shows no vulnerability and since ACE does not execute any CGI scripting via VIP that vector also is not vulnerable.  

To address the vulnerability:
1.Upgrade to A5(x) release.

2. Download the "hot fix" DPLUG from CCO. The DPLUGs are named ACE4710_A5x_bash_security_fix.bin and ACE30_A5x_bash_security_fix.bin and will work with any A5(x) release. 

3.Ensure the DPLUG is installed/ run after every ACE reboot.

4.Monitor software availability for future release of A5(3.x.x) maintenance release which will include full correction, removing need to run DPLUG hot fix. 

Exposure is not configuration dependant but successful authentication is required to  exploit this vulnerability remotely.

Related Community Discussions

LB 関連: 2014 年に公開された脆弱性のまとめ
SCENARIO 1: this is how DTMF will be sent out SCENARIO 2 SCENARIO 3: SCENARIO 4:     | はじめに  このページでは、2014 年に公開された脆弱性のうち、Cisco 負荷分散装置(ACE10/20/30, ACE4710, CSS) に 関連するものについて紹介します。 1. Security Advisory に関するおさらい 2. CSS, ACE10/20, ACE4710 A3(x) について 3. ACE architecture のおさらい 4. 2014 年に公開された脆弱性一覧   1. Security Advisory に関するおさらい  Cisco では、 セキュリティ脆弱性ポリシーに基づき、重要なセキュリティ問題と考えられるものをセキュリティ アドバイザリ として公開しています。 英語版 日本語版 ...
Latest activity: Aug 30, 2017
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.