11

This is intended to be a Community Wiki to document which operating systems and devices are known to be affected by the Shellshock vulnerability (and related vulnerabilities), and what patches are available.

The CW list should contain the following pieces of information:

  • Name of product affected.
    • (Include affected versions, if possible.)
  • Patch availability status.
  • Links to references:
    • Vendor/researcher confirmation that the product is affected.
    • Vendor patch notice and/or download page. (If available.)

Note that this is not the place to post original research, nor is this intended to be an in-depth examination of how certain products are affected. It's simply to list affected products and available patches.

Currently, there are six vulnerabilities generally being categorized under the umbrella of "Shellshock":

A product doesn't need to have patches available for any, or all, of these in order to be listed. The minimum criteria to list a product here is that there is public confirmation from a reputable source stating that one or all of the above CVEs apply to the product. If vulnerability confirmation or patches are still unavailable for a product, for some of these CVEs, please still list the product and what information is available.

Do not add a product to this list, or claim a patch is available, without providing a reference to either a vendor-issued notice or documentation by another researcher.

Please do not post separate answers. The first answer should be flagged as Community Wiki, so anyone can add to or change it later as needed.

Iszi
  • 26,997
  • 18
  • 98
  • 163
  • https://isc.sans.edu/ has good links on the front page to include Cisco, Debian, and Ubuntu links. I think this should be created on Meta edited and posted as an update to the Shellshock tag detail to avoid noise and FUD (cPanel etc depend on config a fine grain issue missed by most inputs so far) . That said, I will follow your question. – zedman9991 Sep 26 '14 at 19:01

2 Answers2

6

Below are products for which vendor statements or reputable research has been found to confirm their vulnerability status. Additional information may also be available at the following sites:

US-CERT - The United States Computer Emergency Response Team

Shellshocker.net - Website dedicated to Shellshock vulnerabilities. Maintained by the Medical Informatics Engineering IT team.

DISCLAIMER: This is not by any means a comprehensive list of affected products, nor does it necessarily represent all of the information or patches that are currently available for the listed products.

Inclusion of information in this list simply means that someone has found Shellshock-relevant information and has cared to add it to the list. Omission of details does not necessarily mean that a product is not affected, or patches are not available.

If a product you use, is not listed below, and you are unsure of whether or not it is affected by Shellshock-related vulnerabilities, you should contact the product vendor yourself. You should also contact the vendor with your concerns if their product is listed, but status for one or more vulnerabilities is not. If the vendor provides links to publicly-accessible statements regarding how their products are affected and what remediation options are available, please add them to this list.

Last Update: 2014-09-30 00:30Z

Amazon Linux

Affected Versions: (Unspecified)

CVE-2014-6271

CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

CVE-2014-6277, CVE-2014-6278

  • No data (2014-09-29 23:30Z)

CentOS

Affected Versions: 5 through 7 (Per vendor notice. Earlier versions unconfirmed.)

CVE-2014-6271

CVE-2014-7169, CVE-2014-7186, CVE-2014-6277

CVE-2014-7187, CVE-2014-6278

  • No data (2014-09-29 23:30Z)

Cisco

Affected Products: (Multiple - see advisories for details.)

CVE-2014-6271, CVE-2014-7169

CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278

  • No data (2014-09-29 23:30Z)

Debian

Affected Products: (Unspecified)

CVE-2014-6271

  • Vendor confirmation & remediation instructions: DSA-3032-1

CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

  • Vendor confirmation & remediation instructions: DSA-3035-1

CVE-2014-6277

  • Vendor status page (patch status indeterminate as of 2014-09-30 00:00Z): CVE-2014-6277

CVE-2014-6278

  • Vendor status page (patch status indeterminate as of 2014-09-30 00:00Z): CVE-2014-6277

Gentoo

Affected Products: (Unspecified)

CVE-2014-6271

CVE-2014-7169

CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278

  • No data (2014-09-30 00:00Z)

Oracle Enterprise Linux

Affected Products: 4 through 7 (Per vendor notice. Earlier versions unconfirmed.)

CVE-2014-6271

CVE-2014-7169

CVE-2014-7187, CVE-2014-6277, CVE-2014-6278

  • No data (2014-09-30 00:30Z)

Ubuntu

Affected Versions: 10.04 through 14.04 (Per vendor notice. Earlier versions unconfirmed.)

CVE-2014-6271

  • Vendor confirmation & remediation instructions: USN-2362-1

CVE-2014-7169

  • Vendor confirmation & remediation instructions: USN-2363-2

CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278

  • No data (2014-09-30 00:30Z)
Iszi
  • 26,997
  • 18
  • 98
  • 163
3

Thing is -- the answer is basically: all of them. Any device with GNU Bash installed, any version, is technically vulnerable.

Notable exception: busybox is not gnu. So your wifi router probably doesn't have gnu bash.

But more importantly, not every device exposes Bash such that arbitrary values can be inserted into environment variables. The critical examples where this is possible is in CGI scripts which use Bash for something, and in certain types of DHCP responders, and in restricted shell environments.

A lot of people are just now learning that some web control panels (like Plesk) ship with a set of "test" CGI scripts, one of which is written in Bash. And while almost nobody would write a serious web application in Bash CGI, many of them may have this test script installed.

tylerl
  • 82,225
  • 25
  • 148
  • 226