Bash Command Injection Vulnerability (Supplement)
ICSA： ICS Advisory (ICSA-14-269-01 (Supplement))
This advisory supplement is to accompany the NCCIC/ICS-CERT advisory titled ICSA-14-269-01 Bash Command Injection Vulnerability and all following updates that were originally published September 26, 2014, on the ICS-CERT web site and posted to the US-CERT secure Portal library. Please refer to the original advisory for all the details of the vulnerability. The purpose of this advisory supplement is to document which products are affected by this vulnerability and suggest how users of these products may mitigate the effects of this vulnerability. This document will be updated as needed.
ICS-CERT thanks the following companies for responding to our inquiry for which of their products were or were not affected:
ABB, Advantech, Alstom, Azeotech, Cogent, Digi, Ecava, eWON, Fox-It, Honeywell, Inductive Automation, Eaton, Elecsys, Festo, Garrettcom, Hirschmann, Innominate, JPCERT, Meinberg, Moxa, Nordex, Ocean Data Systems, Omnimetrix, OPCSystems, OSIsoft, Phoenix Contact, Post Oak Traffic, Progea, Red Lion, Rockwell Automation, Schneider Electric, SEL, Sielco Sistemi, Siemens, Sierra Wireless, SUBNET Solutions, Tofino Security, Tridium, Trihedral, Vista Control, Weidmuller, and Wind River.
ICS-CERT encourages any asset owners/operators, developers, or vendors to coordinate known implementations of the affected products directly with ICS-CERT.
- Directly affected: ABB Tropos 3000, 4000, 6000, & 7000 series routers
- Indirectly affected: Ventyx NM EMS/SCADA on RHEL, Ventyx.
Please see ABB’s public notification and mitigation strategies at:
Please see Cisco’s advisory for full list of affected products at:
- Connectport LTS, Digi Passport, Digi CM.
Digi says that the vulnerability cannot be exploited remotely on these systems.
Please see eWON’s advisory for full list of affected products at:
- LANTIME V4.x, V5.x and V6.x
Please see Meinberg’s public notification and mitigation strategies at:
- All Linux-based computers except EM1220-LX, EM1240-LX, UC7110-LX, UC7112-LX.
Moxa is currently investigating a solution.
Red Lion products:
- Sixnet BT-5000 and 6000 Series
- RAM 9000, RAM 6000, SN 6000 and M, A and R Series
These products use the bash shell but are not considered to be vulnerable or exploitable.
- ROX 1: All versions <= V1.16.0
- ROX 2: All versions <= V2.5.0
- APE Linux V1.0 with ELAN installed
Please refer to SSA-86096 for more details at Siemens’ web site: