Two vulnerabilities in the GNU Bash shell allow for the execution of arbitrary code. Note that a partial fix was enacted to address the first vulnerability in the GNU Bash shell that inadvertently produced its own vulnerability. Both vulnerabilities involve the processing of environment variables and/or their values.
CVE-2014-6271 - “Shellshock”
In GNU Bash versions 4.3 bash43-025 and prior, an exploit of environment variable mechanics with regards to trailing strings allows the attacker to bypass or override environmental restrictions and run arbitrary code.
In GNU Bash versions 4.3 bash43-025 and prior, an exploit of environment variable mechanics with regards to function definitions allows the attacker to bypass or override environmental restrictions and run arbitrary code.
GNU Bash versions 4.3 bash43-025 and prior process environment variable values in a way that allows trailing strings to be added by an attacker, thus allowing the execution of arbitrary code.
CVE-2014-7186 - “redir_stack” issue
parse.y in GNU Bash versions through 4.3 bash43-026 allows remote attackers to cause a denial of service (application crash) caused by a redirection implementation error (out-of-bounds array).
CVE-2014-7187 - “word_lineo” issue
parse.y in GNU Bash versions through 4.3 bash43-026 allows remote attackers to cause a denial of service (application crash) caused by an off-by-one error in the read_token_word function (out-of-bounds array).
Last Update: 3/4/2022
Initial Public Release: 9/25/2014
Advisory ID: PLYGN14-03
CVE ID: CVE-2014-6271
CVSS Score: 10.0
CVE ID: CVE-2014-6277
CVSS Score: 10.0
CVE ID: CVE-2014-7169
CVSS Score: 10.0
CVE ID: CVE-2014-7186
CVSS Score: 10.0
CVE ID: CVE-2014-7187
CVSS Score: 10.0
|PRODUCTS||STATUS||KNOW PRODUCT - SPECIFIC INTERNAL MITIGATIONS|
|CloudAXIS Experience Portal and Service Portal||Vulnerable – Bash Upgrade mid-November||Web - not vulnerable (web server does not set environment variables)||SIP – not vulnerable (stack tested by security team)||DHCP - vulnerable (DHCP client does not implement DHCP addresses received, but does “fetch” them for the VM’s)||SSH – Vulnerable (use of a restricted shell actually causes vulnerability in this place)|
|Distributed Media Application||Fixed in
|Web – not vulnerable (web server does not set environment variables)||SIP – not vulnerable (stack tested by security team)||DHCP – not vulnerable (DMA does not use DHCP)||SSH – vulnerable (can be disabled)|
|Recording and Streaming Server 4000||Vulnerable –Bash Upgrade Date Unknown||Web – not vulnerable (web server does not set environment variables)||SIP – not vulnerable (stack tested by security team)||DHCP – vulnerable (set static addresses)||SSH – not vulnerable (no SSH capability)|
|Video Border Proxy||Fixed in 11.2.19||N/A||N/A||N/A||N/A|
|RealPresence AccessDirector||Vulnerable – BashUpgrade in Q4 – v4.1.0||Web – not vulnerable (web server does not set environment variables)||SIP – Not vulnerable (SIP is Java implementation that does not use environment variables)||DHCP – presumed vulnerable, not tested (disable and use static address)||SSH – vulnerable (turn off)|
|Platform Director||Vulnerable – BashUpgrade Date Unknown||Web – not vulnerable (web server does not support CGI)||SIP – not vulnerable (no SIP stack)||DHCP – vulnerable (turn off and use static address)||SSH – vulnerable (but limited to the one root account)|
|CSS Gateway & Server||Vulnerable – BashUpgrade December||Web – presumed not vulnerable, not tested||SIP – presumed not vulnerable, not tested||DHCP – vulnerable (turn off)||SSH – presumed not vulnerable, not tested|
|Collaboration Server 1800||Vulnerable – Bash Upgradein Q4 – v8.4.2||Web – not vulnerable (no Apache CGI)||SIP – not vulnerable (SIP stack does not interface with environment variables)||DHCP – presumed not vulnerable (only fires once during out-of-box)||SSH – vulnerable (off by default, should not be turned on)|
|RealPresence ResourceManager||Vulnerable – Bash Upgrade in Q4 – v8.3||Web – not vulnerable (web server does not set environment variables)||SIP – not vulnerable, no SIP stack||DHCP – vulnerable (turn off and use static address)||SSH – vulnerable (turn off)|
|Resource Manager Virtual Edition||Vulnerable - BashUpgrade in Q4 – v8.3||Web – not vulnerable (web server does not set environment variables)||SIP – not vulnerable, no SIP stack||DHCP – presumed vulnerable, not tested (turn off and use static address)||SSH – presumed vulnerable, not tested (turn off)|
|Capture Server||Vulnerable||Web – presumed vulnerable, not tested||SIP – presumed vulnerable, not tested||DHCP – vulnerable (turn off, use static address)||SSH – presumed vulnerable, not tested|
|Collaboration Server Virtual Edition||Vulnerable - Bash Upgrade in Q4 – v8.4.2||Web – not vulnerable (no Apache CGI)||SIP – not vulnerable (SIP stack does not interface with environment variables)||DHCP – presumed not vulnerable (DHCP during setup only – if at all)||SSH – vulnerable (off by default, should not be turned on)|
|RMX 1000 and 500||
|CMA – All Versions||
|RealPresence Desktop – All Versions||Not Vulnerable||N/A||N/A||N/A||N/A|
|RealPresence Mobile – All Versions||Not Vulnerable||N/A||N/A||N/A||N/A|
|Media Manager – All Versions||Not Vulnerable||N/A||N/A||N/A||N/A|
|CMAD (CMA Desktop) – All Versions||Not Vulnerable||N/A||N/A||N/A||N/A|
|CX Product Line, All Video Versions||Not Vulnerable||N/A||N/A||N/A||N/A|
|RMX 4000, 2000 and 1500||Not Vulnerable||N/A||N/A||N/A||N/A|
|VVX Phones (w/ and w/out video) –
|SoundPoint Phones – All Versions||Not Vulnerable||N/A||N/A||N/A||N/A|
|SoundStation Phones – All Versions||Not Vulnerable||N/A||N/A||N/A||N/A|
|VSX – All Versions, including V700 and V500||Not Vulnerable||N/A||N/A||N/A||N/A|
|CSS Client – All Versions||Not Vulnerable||N/A||N/A||N/A||N/A|
|OTX and RPX Immersive Telepresence||Not Vulnerable||N/A||N/A||N/A||N/A|
|Viewstation Family, Including FX||Not Vulnerable||N/A||N/A||N/A||N/A|
|PTC – Group Series & HDX Versions||Not Vulnerable||N/A||N/A||N/A||N/A|
|MGC Family||Not Vulnerable||N/A||N/A||N/A||N/A|
|RSS 2000||Not Vulnerable||N/A||N/A||N/A||N/A|
As fixes become available for a given product, that information will appear in this bulletin in subsequent releases. Polycom will continue updating this bulletin until all fixes are in place. Polycom recommends that users of any Polycom product listed in the table above as being vulnerable update to the “FIXED” version of their product as soon as such a version becomes available.
Please read and understand these two mitigation sections before reading about which products are affected, and which come with their own internal mitigations:
Remembering that there are many attack vectors by which this vulnerability can be exploited, any sound mitigation must address this multiplicity of vectors. As well it is important to note that no matter which specific vector is under consideration, there are many possible means of mitigation: Polycom might have mitigated a specific vector on a specific product via programmatic means internal to the product, but it could just as easily be mitigated by a fielding condition. For example, turning off a given service might shut down a vector altogether.
An effective mitigation solution will incorporate strategies both from within the product and within the deployment architecture.
“Shellshock” (Bash vulnerability) is currently exploited via four known possible attack vectors. Note that a given product may or may not support one or all of these attack vectors:
- Manipulating CGI calls into the target’s HTTP server
- Logging into the target via SSH to the Bash shell
- Target’s DCHP client connects to a malicious server
- Inserting malicious strings into the target’s SIP stack
Fielding / Deployment Mitigations per Vector
For HTTP, restrict web management access via the whitelist feature on the Polycom product where supported. Whitelisting can also be implemented on the network itself. Network segregation can also isolate all HTTP traffic to known and trusted entities. Additionally, web access can be disabled altogether if the fielding conditions permit.
For SSH, disable shell access. If shell access must be maintained, similar methods to those used above for HTTP may also be deployed (whitelisting, network segregation).
The DHCP client attack vector can be mitigated simply by setting all IP addresses manually (static addresses). When possible, one can also disable DHCP. It is generally good security guidance on infrastructure products to use static addresses anyway. Since no Polycom endpoints (audio or video) are vulnerable to Shellshock, they may continue to use DHCP without concern. Additionally, ensuring that the only DHCP server on the network is non-malicious (via network or other controls) can mitigate this vector.
For SIP, SIP Authentication can be used to associate all clients with known identities. Network controls such as IDS and IPS can be used. Firewall rules can be monitored for suspicious behavior. H.323 can also be used in lieu of SIP. Network Access Control Lists can be used as either blacklists or whitelists. SIP networks can be segregated.
Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support – (888) 248-4143, (916) 928-7561, or visit the Poly Support Site.
|1.1||9/29/2014||More products added and more CVE’sadded to vulnerability details list|
|1.2||9/30/2014||All Poly endpoints cleared, RMX4000/2000/1500 cleared|
|1.3||10/7/2014||Legacy products added|
|1.4||10/9/2014||Detailed vulnerabilities ofinfrastructure products established at the vector level|
|1.5||10/13/2014||First fix announced, better dates andversions for fixes, better vector analysis|
|1.6||10/18/2014||OTX, RPX, SoundStructure all "notvulnerable." CloudAXIS, RPAD, RPRM vulnerability details updated. DMA fixannounced.|
|1.7||10/24/2014||MGC and RSS 2000 added, not vulnerable|
©2022 Plantronics, Inc. All rights reserved.
Poly, the propeller design, and the Poly logo are trademarks of Plantronics, Inc. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Poly.
While Poly uses reasonable efforts to include accurate and up-to-date information in this document, Poly makes no warranties or representations as to its accuracy. Poly assumes no liability or responsibility for any typographical errors, out of date information, or any errors or omissions in the content of this document. Poly reserves the right to change or update this document at any time. Individuals are solely responsible for verifying that they have and are using the most recent Technical Bulletin.
Limitation of Liability
Poly and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Poly and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive, or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Poly has been advised of the possibility of such damages.