Friday, September 26, 2014

Peplink Comments on GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability

The US-CERT (United States Computer Emergency Readiness Team) posted an alert regarding the GNU Bourne Again Shell (Bash) ‘Shellshock’ vulnerability (CVE-2014-6271, CVE-2014-7169) yesterday, Sept. 25th. This is a “common command-line shell used in most Linux/Unix operating systems and Apple’s Mac OS X.” 

Just this morning, Peplink added the following comment to their forums

On Sept 25, 2014, a critical vulnerability reported in the GNU Bourne Again Shell (Bash) was made public. We have since reviewed our products and online services for the impact. 

Peplink has verified and confirmed that all of our products do not contain/use "GNU Bash" and therefore we are NOT affected by this vulnerability. 

There is no customer action required on your part. 

Thank you for your attention. 

The Peplink Team 
Issued on: Sept 26, 2014 

BSD, which has also been affected was used by Cradlepoint with older versions of firmware. However, they have since switched to Linux. As of this morning, Cradlepoint has not commented on this vulnerability and whether it has affected their products.

**UPDATE: Since this was originally posted, Cradlepoint sent an e-mail with the following statement regarding this vulnerability:

The purpose of this email is to inform you that CradlePoint has addressed the critical security vulnerability known as the “Bash Bug” (CVE-2014-6271 and CVE-2014-7169).

No action is required. CradlePoint has taken the following actions to address this vulnerability:

Hardware & Firmware
  • CradlePoint hardware and firmware are not affected.  
Cloud Management 
  • Enterprise Cloud Manager and WiPipe Central were not remotely vulnerable. As a precaution, stream servers and web servers were patched last night (9/25/14). 
CradlePoint.com Website
  • CradlePoint’s website was patched last night (9/25/14). 
Internal IT Systems
  • CradlePoint has audited potential internal vulnerabilities and has patched affected servers and Linux workstations. We are currently in the process of working with 3rd party vendors to apply any necessary patches. 
Support for Your Network

At CradlePoint, protecting your network is our first priority. We will continue to monitor this situation and provide updates as appropriate. Should you have any further questions, please email support@cradlepoint.com or call +1.855.813.3385 (select Option 2).