Doc ID:    ADV227
Version:    2.0
Status:    Published
Published date:    10/08/2014
Categories:    I/A Series
Foxboro Evo



 

Customer Advisory
GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability
October 08, 2014



Invensys, now a part of Schneider Electric, is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service. 
  

Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Invensys recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.


Potential Security Vulnerability:

It is recognized that the global threat environment is constantly changing and we are committed to helping our customers protect the security of their installations.  We have reviewed the issue described in this Customer Advisory and determined that, if no action is taken, there is potential for a security vulnerability that could allow an attacker to compromise the integrity, availability, or confidentiality of a product.  We strongly advise customers to take note of the actions recommended, to test such actions or patches on non-production systems as able, prior to deployment into production environments. This approach is recommended in order to minimize risk and exposure to announced vulnerabilities.

This advisory applies to all Foxboro Evo™ Process Automation System and I/A Series® System users. 


SITUATION

On September 25, 2014; US-CERT released alert (TA14-268A) “GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability.”  A critical vulnerability has been reported in the GNU Bash versions 1.14 through 4.3.  The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system.


SYMPTOMS

We are currently performing a review of process automation products that may be affected by the Shellshock vulnerability issue.  To summarize the status of our investigation at this point:

Products Impacted
  • Workstations using Solaris 8 and Solaris 10 operating systems DO have the vulnerability.

Products NOT Impacted

  • Workstations using Solaris 2.5.1 do NOT have GNU Bash installed on them, as supplied by Invensys.
  • Workstations using approved Microsoft Windows operating systems, as supplied by Invensys, do NOT contain the impacted versions of GNU Bash.  Therefore, these systems do NOT have the GNU Bash Shellshock vulnerability.

 Please note:

  • Foxboro Evo Process Automation System and I/A Series System software do NOT utilize the Bash shell.
  • Workstations running Foxboro Evo software do NOT have this vulnerability.
  • The last Solaris workstations approved for use on an I/A Series System were removed from sale in April 2009 and all models are either in the Obsolete or LifeTime portions of their lifecycle.

ACTIONS OR RESOLUTIONS

For systems using Solaris 8 or Solaris 10, we recommend removing the Bash shell.  Only system administrators with super-user privileges can perform the following instructions:

  1. Open a command window.
  2. Type:
pkginfo -l SUNWbash
 
If the package is installed, you will see this:  NAME:  GNU Bourne-Again Shell (Bash)
 
  1. To remove the Bash package, type:

pkgrm SUNWbash 

  1. Enter “Y” when prompted with the following questions:
    • Do you want to remove this package?  [y,n,?,q]
    • Do you want to continue with the removal of this package?  [y,n,?,q]

 

  1. To validate that the Bash executable has been removed, type:
which bash
 
It should report that it was not found.
 
If you have installed software or written scripts that require the Bash application, it is recommended that best security practices be followed, such as providing layer of defense around the Solaris systems and/or isolating the Solaris systems from external network connections.  You might also consider converting any Bash scripts to use the Bourne shell or Korn shell and then subsequently remove the Bash shell.
FOR INFORMATION
If you have any questions regarding this notification, please contact your local Service Representative or an Invensys Support Center at: 
 
GCS Center America's GCS Asia Pacific GCS EMEA GCS
Location Foxboro MA USA Shanghai Baarn NL
Phone +1-866-746-6477 +86 21 37180086  +31-3554-84125
Internationally +1-508-549-2424    
Fax +1-508-549-4999 +86 21 37180196 +31-3554-84230
Email America's GCS Asia Pacific GCS EMEA GCS
 

Regards

John Petty
Director,
Global Customer Support


Distribution to Invensys Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.

All Rights Reserved.


            Advisory #:  2014048abi Rev 2


©Copyright Invensys. All rights reserved