What is Shellshock?
Recently a bug called Shellshock was discovered that could potentially allow remote attackers access to Linux, Unix, and Mac OS X operating systems. This bug, also called Bash Bug because it exploits vulnerabilities in the bash shell of *nix based systems, is rated a 7.5 on the Common Vulnerability Scoring System, the highest score a bug may get. It also has a low difficulty rating making it a very serious vulnerability.
How Does it Affect Nexus 9000 Series Switches?
Cisco Nexus 9000 switches are not vulnerable out of the box. The NX-OS image includes a version of bash that is affected by the Shellshock bug. In order for this vulnerability to be exploited a user must successfully SSH into a switch and successfully log in. The Common Vulnerability and Exposure IDs for these vulnerabilities are:
Shellshock could potentially allow attackers to log in to the switch and send remote commands to attack the network or possibly set up attacks for later exploitation. However, as long TACACS or local authentication has been used to secure the login, the vulnerability is not exploitable. Nexus 9000 Series switches can run in NX-OS mode or ACI mode. The bug affects all current releases of the NX-OS mode image for the Nexus 9000 Series. The ACI image for the Nexus 9000 Series has been analyzed and is not vulnerable to Shellshock. Even though the ACI image is not affected, it does now contain a patched version of the bash shell as well.
Shellshock Fixed in Recent Patches
The Nexus 9000 NX-OS team was one of the first, if not the first, in the networking industry to fix these issues with hot patches. Hot patches that fix all six of the above listed CVEs have been released by Cisco for the existing NX-OS software and Guest Bash Shell. These patches are currently available for download from http://software.cisco.com/download/navigator.html
There’s a very helpful configuration guide posted on our website on how to perform NX-OS software maintenance upgrades (SMU) as well as using the downloadable RPM to patch the Guest Bash Shell.
Shellshock Fixes for Nexus 3000, 5000, 6000 and 7000.
A Shellshock fix has already been released for the Nexus 7000 Series in NX-OS release 6.2. For the remaining platforms, we will be providing fixes through upcoming NX-OS software releases by the end of this month.