Spectracom - Essential Ingenuity

Bash Bug Susceptibility

Question

Are Spectracom Products Susceptible to the Bash Bug?

Answer

September 26, 2014

Last week, a vulnerability was revealed in Bash command interpreter used in some Spectracom products. The flaw, documented in the Common Vulnerabilities and Exposure system as CVE-2014-6271 and CVE-2014-7169, effects a wide-range of enterprise-class devices based on Linux/Unix, such as Spectracom SecureSync and NetClock 9400/9300/9200 precision timing appliances, although we believe the impact to our equipment is minimal.

This article will provides information about the risks of the bug, our recommended short-term actions for those who have concerns about the risk, and our plan to patch the flaw in an upcoming release.

Security Patch Availability
We are still evaluating the security patches for the Bash bug and we expect a software update in about 4 weeks. You can request an email notification of the update by registering your product. You can check your existing registrations, by entering your email address and clicking "check my registrations". 

Update October 22, 2014: SecureSync and NetClock 9400 software can be patched for the Bash Bug vulnerability by applying the 5.1.6 update.
Update November 4, 2014: NetClock 9300 and 9200 software can be patched by applying the 3.6.7 update.

Analysis of Risk
There are several network services using the Bash command interpreter that are only available to authenticated users of the affected Spectracom product. To exploit the vulnerability through these services, one must login using a username and password with sufficient permissions to use these services such as FTP, telnet, etc. First, it is recommended to disable any unused network service. Also, if you believe untrusted individuals can access administrative functions of the Spectracom product, then change usernames and password immediately. You can also limit login access, even when username and passwords are known, by setting up network access controls. We believe the risk is then limited to two issues:
  1. Any web interface using CGI scripts
  2. DHCP servers

Spectracom Products Running CGI
The affected Spectracom products use CGI as the main set-up and monitoring interface via a web browser up to, and through, application software version 5.0.2. We recommend the following actions:

For users of SecureSync and NetClock 9400 (running 5.0.2 or below): Upgrade to 5.1.5 and disable the “classic interface”.

NetClock 9200/9300 (all application software versions): Disable HTTP/HTTPS services until the software can be patched.

We will provide instructions to re-enable the services required to apply the update. Alternatively you can set-up network access controls to limit management access to only specific known addresses or subnets.

Issue with DHCP
We recommend turning off DHCP and setting static IP address for the network interfaces as the typical configuration of these products. While we know our DHCP script is still running even when a static IP address is set, we filter any rogue DHCP responses which eliminates the potential vulnerability.

Cyber security vulnerabilities are an on-going issue in today’s world and Spectracom strives to keep its products current to the latest protections available. If you have any concerns or need help with any of these recommendations, please contact Customer Support.


 

Was this information helpful?

 Yes  No