GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability
October 08, 2014
Invensys, now a part of Schneider Electric, is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service.
Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Invensys recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.
Potential Security Vulnerability:
It is recognized that the global threat environment is constantly changing and we are committed to helping our customers protect the security of their installations. We have reviewed the issue described in this Customer Advisory and determined that, if no action is taken, there is potential for a security vulnerability that could allow an attacker to compromise the integrity, availability, or confidentiality of a product. We strongly advise customers to take note of the actions recommended, to test such actions or patches on non-production systems as able, prior to deployment into production environments. This approach is recommended in order to minimize risk and exposure to announced vulnerabilities.
This advisory applies to all Foxboro Evo™ Process Automation System and I/A Series® System users.
On September 25, 2014; US-CERT released alert (TA14-268A) “GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability.” A critical vulnerability has been reported in the GNU Bash versions 1.14 through 4.3. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system.
We are currently performing a review of process automation products that may be affected by the Shellshock vulnerability issue. To summarize the status of our investigation at this point:
- Workstations using Solaris 8 and Solaris 10 operating systems DO have the vulnerability.
Products NOT Impacted
- Workstations using Solaris 2.5.1 do NOT have GNU Bash installed on them, as supplied by Invensys.
- Workstations using approved Microsoft Windows operating systems, as supplied by Invensys, do NOT contain the impacted versions of GNU Bash. Therefore, these systems do NOT have the GNU Bash Shellshock vulnerability.
- Foxboro Evo Process Automation System and I/A Series System software do NOT utilize the Bash shell.
- Workstations running Foxboro Evo software do NOT have this vulnerability.
- The last Solaris workstations approved for use on an I/A Series System were removed from sale in April 2009 and all models are either in the Obsolete or LifeTime portions of their lifecycle.
ACTIONS OR RESOLUTIONS
For systems using Solaris 8 or Solaris 10, we recommend removing the Bash shell. Only system administrators with super-user privileges can perform the following instructions:
- Open a command window.
- To remove the Bash package, type:
- Enter “Y” when prompted with the
- Do you want to remove this package? [y,n,?,q]
- Do you want to continue with the removal of this package? [y,n,?,q]
- To validate that the Bash executable has been removed, type:
|GCS Center||America's GCS||Asia Pacific GCS||EMEA GCS|
|Location||Foxboro MA USA||Shanghai||Baarn NL|
|Phone||+1-866-746-6477||+86 21 37180086||+31-3554-84125|
|Fax||+1-508-549-4999||+86 21 37180196||+31-3554-84230|
|America's GCS||Asia Pacific GCS||EMEA GCS|
Global Customer Support
Distribution to Invensys Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.
All Rights Reserved.