The US-CERT (United States Computer Emergency Readiness Team) posted an alert regarding the GNU Bourne Again Shell (Bash) ‘Shellshock’ vulnerability (CVE-2014-6271, CVE-2014-7169) yesterday, Sept. 25th. This is a “common command-line shell used in most Linux/Unix operating systems and Apple’s Mac OS X.”
Just this morning, Peplink added the following comment to their forums:
On Sept 25, 2014, a critical vulnerability reported in the GNU Bourne Again Shell (Bash) was made public. We have since reviewed our products and online services for the impact.
Peplink has verified and confirmed that all of our products do not contain/use "GNU Bash" and therefore we are NOT affected by this vulnerability.
There is no customer action required on your part.
Thank you for your attention.
The Peplink Team
Issued on: Sept 26, 2014
BSD, which has also been affected was used by Cradlepoint with older versions of firmware. However, they have since switched to Linux. As of this morning, Cradlepoint has not commented on this vulnerability and whether it has affected their products.
**UPDATE: Since this was originally posted, Cradlepoint sent an e-mail with the following statement regarding this vulnerability:
The purpose of this email is to inform you that CradlePoint has addressed the critical security vulnerability known as the “Bash Bug” (CVE-2014-6271 and CVE-2014-7169).
No action is required. CradlePoint has taken the following actions to address this vulnerability:
Hardware & Firmware
- CradlePoint hardware and firmware are not affected.
- Enterprise Cloud Manager and WiPipe Central were not remotely vulnerable. As a precaution, stream servers and web servers were patched last night (9/25/14).
- CradlePoint’s website was patched last night (9/25/14).
- CradlePoint has audited potential internal vulnerabilities and has patched affected servers and Linux workstations. We are currently in the process of working with 3rd party vendors to apply any necessary patches.
At CradlePoint, protecting your network is our first priority. We will continue to monitor this situation and provide updates as appropriate. Should you have any further questions, please email firstname.lastname@example.org or call +1.855.813.3385 (select Option 2).