====================================================
SB-3 2014-09-25 Bash "Shellshock" vulnerability
====================================================

Service bulletin: SB-3
Date: September 25, 2014

On September 24, 2014, a vulnerability in the Bash shell was
announced. Bash is installed on all SD-WAN nodes and Debian
Linux servers, and the flaw can allow an attacker to execute arbitrary
code on hosts that are vulnerable in certain ways. The vulnerability
is described in CVE-2014-6271 and CVE-2014-7169. Debian has released
patches for Bash that fix the flaws described in both CVEs.

We are not aware of any ways that SD-WAN management or node
software is vulnerable to this flaw. However, as a precaution, all
management servers were patched on the evening of September 24.

Partners are strongly recommended to upgrade Bash on all their nodes
using the solution below.

Affected hosts
---------------

-  All nodes

Solution
---------

A script is available that upgrades Bash on all nodes. This script
does not result in any service interruption for SD-WAN
end-users.

To upgrade nodes, run these commands on the management server. Do not
use the script on bonders or aggregators—it will only work when
executed on the management server.

For the latest version of the script, contact Technical Support.

The script logs into each node, determines if Bash is vulnerable, and
upgrades Bash if necessary. It works on both Debian Wheezy and Squeeze
devices. On Squeeze, it adds the “squeeze-lts” (Long Term Support)
software repository to its list of software sources, because standard
Squeeze software repositories are no longer updated.

If any nodes are offline when you run the script, you should run it
again when the nodes are available. The script does nothing to nodes
that have a patched version of Bash, so you can run it multiple times
with no issues. If your RSA public key is on nodes, you will not be
asked for node passwords. If your RSA public key is not on nodes, you
will need to provide the password for each node.

References
-----------

-  CVE-2014-6271:
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
-  CVE-2014-7169:
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
-  Debian security advisories:
   https://www.debian.org/security/2014/dsa-3032 and
   https://www.debian.org/security/2014/dsa-3035
-  Debian bash changelog: https://packages.debian.org/wheezy/bash, then
   click the link "Debian Changelog" (the link changes from time to time
   as the package is updated)
