Guest

Preview Tool

Cisco Bug: CSCur08462 - BE3K evaluation for CVE-2014-6271 and CVE-2014-7169

Last Modified

Jan 30, 2017

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

9.9(9)ST1.16

Description (partial)

Symptom:
The Cisco Business Edition 3000 (BE3k) may include a version of bash that is affected by the vulnerabilities
identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-6271
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
CVE-2014-6277 
CVE-2014-6278

This bug has been opened to address the potential impact on this product.

Conditions:
Exploitation for the vulnerability is possible only through authenticated SSH, (Even if we bypass the CLI )
 
 [admin@BE-3000-ONE ~]$ uname -a
 Linux BE-3000-ONE 2.6.18-194.26.1.el5PAE #1 SMP Fri Oct 29 14:28:58 
 EDT 2010 i686 i686 i386 GNU/Linux [admin@BE-3000-ONE ~]$ wpd
 bash: wpd: command not found
 [admin@BE-3000-ONE ~]$ pwd
 /home/admin
 [admin@BE-3000-ONE ~]$ id
 uid=667(admin) gid=503(administrator) 
 groups=250(cuservice),500(sftpuser),501(platform),502(tomcat),503(ad
 mi
 nistrator),506(ccmbase),509(ccmsyslog),572(download)
 context=admin_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.