Comtrend Security Advisories, Responses, and Notices
Advisory ID: ComtrendShellshockSecurityAdvisory-01
Title: UPnP Vulnerability
Public Release Date: 11/05/2014
A new vulnerability nicknamed Shellshock (aka “Bash Bug” or “Bashdoor”) was recently found in the widely used Unix Bash shell -from version 1.13 to 4.3. The Bash shell vulnerability affects many implementations of Linux and Unix systems. This has been publicly disclosed at CVE-2014-6271. Shellshock has been noted to be a very serious vulnerability because it allows remote code execution and gives the hacker full access to the system. The hacker would be able to get to the shell and execute any kind of program on the target.
Comtrend has investigated our DSL CPEs and switch routers for this vulnerability and found that we are not susceptible. We use an embedded password protected system that uses BusyBox instead of Bash.
We also strongly recommend that providers apply publicly available software patches to servers in your network environment to protect against the vulnerability. For example, while the Comtrend ACS (TR-069 Auto Configuration Server) software is not vulnerable to Shellshock, the Linux or Unix operating systems, in which the ACS software operates, may be vulnerable. To locate resources and applicable patches for your systems, check the National Vulnerability Database summary for CVE-2014-6271: here. Additional variations of the original vulnerability identifier have since been disclosed (see list below).