Shellshock!? Is it an issue for Zyxel products?
Zyxel Communications would like to reassure its customers that Zyxel’s Networking products, including Switches, USGs (Unified Security Gateways), ZyWALL VPN firewalls, UAGs (Unified Access Gateways), are not at risk from the Shellshock vulnerability disclosed on September 24, 2014, which affects Linux and Unix Bash shells.
Zyxel’s WLAN Controllers (the NXC Series) and WLAN Access Points (the NWA3000-N Series and the NWA5000-N Series), however, are slightly affected by the said vulnerability. Nevertheless, we are aware of the damage caused by Shellshock and will continuously work hard until we find the best solutions to our customers. Specifically, Zyxel will release a new patch and upload it online (Download Library) by the 15th of October to ease customer concern about the vulnerability.
Zyxel will continue to monitor Shellshock’s impact and provide the latest updates to our customers when necessary. For optimal network security, Zyxel recommends customers to limit access over protected networks and only grant trusted members access to the networks.
Are my Zyxel products affected by the Shellshock vulnerability?
Solutions For |
Products |
Affected by Shellshock |
Latest Patch Update |
---|---|---|---|
Service Providers |
MSANs/DSLAMs |
N |
- |
DSL CPEs |
N |
- |
|
Ethernet Gateways |
N |
- |
|
MSANs/DSLAMs |
N |
- |
|
Managed Switches |
N |
- |
|
GEPON/GEPON |
N |
- |
|
Home Users |
DSL Gateways |
N |
- |
Wireless Routers |
N |
- |
|
Wireless Access Points |
N |
- |
|
Wireless Extenders |
N |
- |
|
Wireless Adapters |
N |
- |
|
Desktop Switches |
N |
- |
|
Network Storages/Media Servers |
N |
- |
|
Small & Medium Business |
Managed Switches |
N |
- |
Smart Switches |
N |
- |
|
Unmanaged Switches |
N |
- |
|
WLAN Controllers |
Y |
15th Oct., 2014 |
|
WLAN Access Points |
Y |
15th Oct., 2014 |
|
Unified Security Gateways |
N |
- |
|
ZyWall VPN Firewalls |
N |
- |
|
Unified Access Gateways |
N |
- |
|
Hospitality Gateways |
N |
- |
About the Shellshock Vulnerability
Shellshock (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169), the recently discovered Internet-wide severe vulnerability, enables attackers to override or bypass certain restrictions to execute Linux or Unix bash shell commands.
CVE-2014-6271
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock”.
CVE-2014-6277
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
CVE-2014-6278
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
CVE-2014-7169
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Source: National Vulnerability Database