O
L- 3 2 3 3
5 -0 1
Field Notice:
Fix for GNU Bourne-Again Shell (Bash)
'Shellshock' Vulnerability in DBDS Products
Background
All Digital Broadband Delivery System (DBDS) products that run Solaris and Linux
operating systems are vulnerable to the recently announced Bash 'Shellshock' vulnerability.
This security flaw may allow a remote attacker to inject and execute arbitrary code,
depending on how the Bash shell is invoked. The Bash shell may be invoked in a number of
ways such as telnet, SSH, DHCP, scripts hosted on web servers and through other attack
vectors. Although DBDS products are vulnerable to this vulnerability, authentication is
required to exploit this vulnerability.
Please note that National Vulnerability Database (NVD) is using the following Common
Vulnerabilities and Exposures (CVE) numbers to track this issue: CVE-2014-6271, CVE-2014-7169,
CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278.
Audience
This document is written for system administrators and system operators of Digital
Broadband Delivery System (DBDS) products, and to anyone who is responsible for
maintaining these products.
Document Version
This is the first formal release of this document.
Affected Products
DBDS products can be broadly classified into two categories, Solaris-based and Linuxbased. The following table depicts the affected DBDS products, versions and the operating
system flavor:
Solaris-based Products
Product Name
Digital Network Control System (DNCS)
DBDS Standalone AppServer (AS)
Remote Network Control System (RNCS)
Explorer Controller (EC)
IPTV Service Delivery System (ISDS)
International Digital Network Control
System (iDNCS)
Version
4.2.x
4.3.x
4.4.x
5.x
3.5.x
3.6.x
i3.4.x
AS5.x
1.2.x
1.3.x
5.x
f2.3.x
i1.3.x
i1.4.x
i1.5.x
6.x
7.x
f2.3.x
Digital Transport Adapter Control System
(DTACS)
Remote Conditional Access System (RCAS)
i4.3.x
i4.4.x
i4.5.x
1.2.x
3.x
1.x
Common Download Server (CDLS)
1.x
Download Server (DLS)
1.x
Command 2000 (CMD2K) Server
3.x
Operating System
Solaris 10
(SPARC)
Cisco Bug
CSCur08074
Solaris 10
(SPARC)
CSCur09405
Solaris 10
(SPARC)
CSCur09280
Solaris 10 (x86)
CSCur09311
Solaris 10
(SPARC)
Solaris 10
(SPARC)
CSCur09327
Solaris 10
(SPARC)
Solaris 10
(SPARC)
Solaris 10
(SPARC)
Solaris 10
(SPARC)
Solaris 10 (x86)
CSCur09391
CSCur09337
CSCur09355
CSCur09396
CSCur09367
CSCur09380
Linux-based Products
Product Name
Version
Operating System
Cisco Bug
Transaction Encryption Device (TED)
3.x
4.x
CSCur09274
PowerKey CAS Gateway (PCG)
PowerKey Encryption Server (PKES)
1.x
2.x
3.x
1.x
Download Server
1.x
AutoBackup
1.x
2.x
Red Hat
Enterprise Linux
(RHEL) 5.x and 6.x
Red Hat
Enterprise Linux
(RHEL) 5.x and 6.x
Red Hat
Enterprise Linux
(RHEL) 5.x and 6.x
Red Hat
Enterprise Linux
(RHEL) 5.x and 6.x
Red Hat
Enterprise Linux
(RHEL) 5.x and 6.x
CSCur09283
CSCur09291
CSCur09318
CSCur09315
Obtaining Software Fixes
As previously stated, all DBDS products are affected by the Bash 'Shellshock' vulnerability
and Cisco recommends updating the Bash version on all of these products. Software fix for
Solaris-based and Linux-based products can be downloaded from the following URLs:
Solaris 10 SPARC patch:
http://software.cisco.com/download/release. html?i=!y&mdfid=283812528&softwareid=28
2868701&release=1.0.0&os=
Linux x86 patch:
http://software.cisco.com/download/release. html?i=!y&mdfid=283812528&softwareid=28
2868701&release=1.0.1&os=
After downloading and extracting the patches, please refer to the bundled README files
for installation instructions.
Please note that Cisco does not bundle Solaris 10 operating system on x86 based products
such as CMD2K, EC 6.x and EC 7.x. Please refer to the following URLs for obtaining
Solaris patches that fix this issue:
http://www.oracle.com/technetwork/top ics/security/bashc ve-2014-7169-2317675.html
https://support.oracle.com/rs?type=doc&id=1930090.1
Customer Information
If You Have Questions
If you have technical questions, call Cisco Services for assistance. Follow the menu
options to speak with a service engineer.
Cisco Systems, Inc.
5030 Sugarloaf Parkway, Box 465447
Lawrenceville, GA 30042
678 277-1120
800 553-6387
www.cisco.com
This document includes various trademarks of Cisco and/or its affiliates. Please see the
Notices section of this document for a list of the Cisco trademarks used in this document.
Product and service availability are subject to change without notice.
© 2014 Cisco and/or its affiliates. All rights reserved.
October 2014 Printed in USA