Shellshock!? Is it an issue for Zyxel products?

 

Zyxel Communications would like to reassure its customers that Zyxel’s Networking products, including Switches, USGs (Unified Security Gateways), ZyWALL VPN firewalls, UAGs (Unified Access Gateways), are not at risk from the Shellshock vulnerability disclosed on September 24, 2014, which affects Linux and Unix Bash shells.

Zyxel’s WLAN Controllers (the NXC Series) and WLAN Access Points (the NWA3000-N Series and the NWA5000-N Series), however, are slightly affected by the said vulnerability. Nevertheless, we are aware of the damage caused by Shellshock and will continuously work hard until we find the best solutions to our customers. Specifically, Zyxel will release a new patch and upload it online (Download Library) by the 15th of October to ease customer concern about the vulnerability.

Zyxel will continue to monitor Shellshock’s impact and provide the latest updates to our customers when necessary. For optimal network security, Zyxel recommends customers to limit access over protected networks and only grant trusted members access to the networks.

 

Are my Zyxel products affected by the Shellshock vulnerability?

Solutions For

Products

Affected by Shellshock

Latest Patch Update

Service Providers

MSANs/DSLAMs

N

-

DSL CPEs

N

-

Ethernet Gateways

N

-

MSANs/DSLAMs

N

-

Managed Switches

N

-

GEPON/GEPON

N

-

Home Users

DSL Gateways

N

-

Wireless Routers

N

-

Wireless Access Points

N

-

Wireless Extenders

N

-

Wireless Adapters

N

-

Desktop Switches

N

-

Network Storages/Media Servers

N

-

Small & Medium Business

Managed Switches

N

-

Smart Switches

N

-

Unmanaged Switches

N

-

WLAN Controllers 
NXC Series (NXC5500, NXC5200, NXC2500)

Y

15th Oct., 2014

WLAN Access Points 
- NWA3000-N Series (NWA316-N, NWA3560-N, NWA3550-N) 
- NWA5000-N Series (NWA5160N, NWA5560-N, NWA5550-N)

Y

15th Oct., 2014

Unified Security Gateways

N

-

ZyWall VPN Firewalls

N

-

Unified Access Gateways

N

-

Hospitality Gateways

N

-

 

About the Shellshock Vulnerability

Shellshock (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169), the recently discovered Internet-wide severe vulnerability, enables attackers to override or bypass certain restrictions to execute Linux or Unix bash shell commands.

CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock”.

CVE-2014-6277

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

CVE-2014-6278

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

CVE-2014-7169

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Source: National Vulnerability Database