ShelllShock Vulnerability Update

Trend Micro Worry Free

Some of you may have heard recently that a new Linux Bash vulnerability was widely reported in the press (known as “Shellshock”) and you may already be getting inquiries from customers on this on whether or not Trend products are affected.  This is similar to the Heartbleed bug where several versions and platforms are affected.

SEG is current surveying all the products and we will be updating a master KnowledgeBase article with affected products and solutions as they become publicly available (same procedure we followed for Heartbleed):

Trend Micro have produced this customer notification to answer your questions.

According to RedHat, “A flaw was found in the way Bash (aka bourne-again shell) evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.” There was an original fix published for CVE-2014-6271, but it proved to be incorrect and/or incomplete, so a second advisory was issued (CVE-2014-7169) to address this.