Are you Shellshock(ed)?

The Shellshock bash bug is a critical security hole for all Unix, Linux and *nix based systems. Bash(Unix Shell) is a piece of Software released by Brian Fox in 1989 for the GNU Project.

The bug can affect you trough malicious requests sent to web servers or network devices.

A number of Cisco products use an affected version of the Bash shell.

Cisco made an official statement that meraki devices are not affected from the Shellshock and Heartbleed vulnerability. See detailed information at the official cisco website.

Cisco Meraki Shellshock
Cisco Meraki Heartbleed

There is a very simple test to check  if you are vulnerable. Run the following lines in your default shell.

env x="() { :;} ; echo vulnerable" /bin/sh -c "echo stuff"
env x="() { :;} ; echo vulnerable" 'which bash' -c "echo completed"

Network Application, Service, and Acceleration

  • Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500 [CSCur02931]
  • Cisco ASA CX and Cisco Prime Security Manager [CSCur01959]
  • Cisco Application Control Engine (ACE30/ ACE 4710) [CSCur02195]
  • Cisco Application and Content Networking System (ACNS) [CSCur05564]
  • Cisco Clean Access Manager [CSCur05566]
  • Cisco DC Health Check [CSCur09963]
  • Cisco GSS 4492R Global Site Selector [CSCur02747]
  • Cisco NAC Appliance [CSCur03364]
  • Cisco NAC Server [CSCur05575]
  • Cisco NetAuthenticate [CSCur05632]
  • Cisco Smart Call Home [CSCur05551]
  • Cisco Smart Care [CSCur05638]
  • Cisco Sourcefire Defense Center and Sensor Product – None
  • Cisco Visual Quality Experience Server [CSCur06775]
  • Cisco Visual Quality Experience Tools Server [CSCur06775]
  • Cisco Wide Area Application Services (WAAS) [CSCur02917]

Network and Content Security Devices

Network Management and Provisioning

Routing and Switching – Enterprise and Service Provider

Unified Computing

Voice and Unified Communications Devices

Video, Streaming, TelePresence, and Transcoding Devices

  • Cisco AutoBackup Server [CSCur09315]
  • Cisco D9036 Modular Encoding Platform [CSCur04504]
  • Cisco Digital Media Player (DMP) 4310 [CSCur05628]
  • Cisco Download Server (DLS) (RH Based) [CSCur09318]
  • Cisco Edge 300 Digital Media Player [CSCur02761]
  • Cisco Edge 340 Digital Media Player [CSCur02751]
  • Cisco Media Experience Engine (MXE) [CSCur04893]
  • Cisco PowerVu D9190 Conditional Access Manager (PCAM) [CSCur05774]
  • Cisco Show and Share [CSCur03539]
  • Cisco StadiumVision Director [CSCur30139]
  • Cisco StadiumVision Mobile Reporter [CSCur30167]
  • Cisco StadiumVision Mobile Streamer [CSCur30155]
  • Cisco TelePresence 1310 [CSCur05163]
  • Cisco TelePresence Conductor [CSCur02103]
  • Cisco TelePresence Exchange System (CTX) [CSCur05335]
  • Cisco TelePresence ISDN Link [CSCur05025]
  • Cisco TelePresence Manager (CTSMan) [CSCur05104]
  • Cisco TelePresence Multipoint Switch (CTMS) [CSCur05344]
  • Cisco TelePresence Recording Server (CTRS) [CSCur05038]
  • Cisco TelePresence System 1000 [CSCur05163]
  • Cisco TelePresence System 1100 [CSCur05163]
  • Cisco TelePresence System 1300 [CSCur05163]
  • Cisco TelePresence System 3000 Series [CSCur05163]
  • Cisco TelePresence System 500-32 [CSCur05163]
  • Cisco TelePresence System 500-37 [CSCur05163]
  • Cisco TelePresence TE Software (for E20 – EoL) [CSCur05162]
  • Cisco TelePresence TX 9000 Series [CSCur05163]
  • Cisco TelePresence Video Communication Server (VCS/Expressway) [CSCur01461]
  • Cisco TelePresence endpoints (C series, EX series, MX series, MXG2 series, SX series) and the 10″ touch panel [CSCur02591]
  • Cisco VDS Service Broker [CSCur05679]
  • Cisco Video Distribution Suite for Internet Streaming VDS-IS [CSCur05320]
  • Cisco Video Surveillance Media Server [CSCur05423]
  • Cisco Virtual PGW 2200 Softswitch [CSCur05847]

Cisco Hosted Services

For more detailed information see original post from Cisco [cisco-sa-20140926-bash]