Company investigates other products that could be affected

Sep 29, 2014 11:30 GMT  ·  By

Cisco assessed the impact of the Shellshock bug on its products and compiled a list of 31 products vulnerable to the glitch that has been around for more than 20 years; a total of seven network solutions were deemed to be unaffected.

On the list of devices that can be abused using the recently discovered flaw in Bash, the company included products designed for network protection, connection routing, network management, voice and unified communications, as well as devices for collaboration and media content delivery and encoding.

Among them are Cisco IronPort Encryption Appliance, Cisco GSS 4492R Global Site Selector, Cisco Mobility Services Engine, Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500, Cisco Finesse, MediaSense, and Cisco TelePresence Serial Gateway Series.

The product line from Cisco is still under scrutiny in order to determine other solutions that could be affected by the bug.

Company assigns a lower severity score

Cisco assessed the Bash bug’s severity using the latest version of the Common Vulnerability Scoring System (CVSS) and assigned a base score of 7.5 because the impact on its products is only partial.

The CVSS score for Shellshock is 10 out of 10, having gained maximum points because of its complete impact on a system and easy exploitation.

“The impact of this vulnerability on Cisco products varies depending on the affected product. Successful exploitation of the vulnerability may allow an unauthenticated attacker to run commands from the Bash shell,” explains Cisco in a security advisory.

Users advised to check for compatibility issues with other features

Software updates mitigating the risk of compromise through Shellshock have been made available by the company, and customers are recommended to check with their maintenance providers for compatibility issues before deploying the fixes.

Oracle is also facing trouble from Shellshock, initially listing 32 of its products as being vulnerable to the bug. In the meantime, the company changed the list and appended new products; it also included new ones on the list of solutions that benefit from a patch.

Shellshock was disclosed publicly on Wednesday, September 24, and it is believed to be a bigger problem than Heartbleed.

Applying the latest patches from the developers should be a priority for anyone with a vulnerable version of the Bash command interpreter for Linux. Several fixes have been developed and delivered to clients through updates because the first attempts to eliminate the glitch failed and opened the door for other exploitation methods.