Guest

Preview Tool

Cisco Bug: CSCur02195 - ACE evaluation for CVE-2014-6271 and CVE-2014-7169

Last Modified

Feb 19, 2018

Products (1)

  • Cisco ACE 4700 Series Application Control Engine Appliances

Known Affected Releases

3.0(0)A5(3.0) 3.0(0)A5(3.1) 7.2(0.1)VB(0.1)

Description (partial)

Symptom:
The ACE 4710 and ACE30 include a version of bash that is affected by the vulnerabilities
identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187 

This bug has been opened to address the potential impact on this product.

ACE30 module and ACE4710 appliance running A5(3.x) and prior have been tested and each found to have vulnerability to one attack vector. 

For the ACE30 module and ACE4710 appliance Cisco is providing a short term hot patch (DPLUG) now with a full correction a maintenance release at a later date. The DPLUGs are named ACE4710_A5x_bash_security_fix.bin and ACE30_A5x_bash_security_fix.bin and will work with any A5(x) release.

Understand that attack works only by the vector of accessing the management interface on the ACE via ssh using a pre-existing valid login credential (with any level of access rights). Testing via VIP thru ssh/HTTP/HTTPs load balancing shows no vulnerability and since ACE does not execute any CGI scripting via VIP that vector also is not vulnerable.  

To address the vulnerability:
1.Upgrade to A5(x) release.

2. Download the "hot fix" DPLUG from CCO. The DPLUGs are named ACE4710_A5x_bash_security_fix.bin and ACE30_A5x_bash_security_fix.bin and will work with any A5(x) release. 

3.Ensure the DPLUG is installed/ run after every ACE reboot.

4.Monitor software availability for future release of A5(3.x.x) maintenance release which will include full correction, removing need to run DPLUG hot fix. 
]

Conditions:
Exposure is not configuration dependant but successful authentication is required to  exploit this vulnerability remotely.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.