Guest

Preview Tool

Cisco Bug: CSCur07312 - Cisco ACE (ACE10 and ACE20) CVE-2014-6271 and CVE-2014-7169

Last Modified

Jan 31, 2017

Products (1)

  • Cisco ACE Application Control Engine Module

Known Affected Releases

3.0(0)A2(3.6d) 7.2(0.1)PR(0.1)

Description (partial)

Symptom:
The ACE ACE10, ACE20 and 4710 running software prior to A4.x  include a version of bash that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187 

This bug has been opened to address the potential impact on this product.

ACE10, ACE30 modules and ACE4710 appliance running code prior to A4.x  have been tested and each found to have vulnerability to one attack vector. 

Understand that attack works only by the vector of accessing the management interface on the ACE via ssh using a pre-existing valid login credential (with any level of access rights). Testing via VIP thru ssh/HTTP/HTTPs load balancing shows no vulnerability and since ACE does not execute any CGI scripting via VIP that vector also is not vulnerable.

Conditions:
Exposure is not configuration dependant.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.