Overview
This article explains the Shellshock vulnerability and why Exinda products are not affected by it.
Information
The Shellshock vulnerability (also known as Bashdoor) found in the bash shell in late 2014 is a set of bugs that allow for exploiters to get credentials or execute their commands if presented with the opportunity to access a bash script.
Exinda appliances are built on a Linux subsystem that includes the bash shell. However, the command-line interface (CLI) is built on a separate plane from bash, and they do not interact for any operation (as access to the shell is not allowed by default). Additionally, bash is not customer-facing; the only way to get to the shell is for Exinda Support to access it during troubleshooting through the use of a restricted license key. Without that key, it is not possible to access the bash capabilities of the device. Furthermore, WebUI scripts that interact with the system do not have exploitable bash scripts that can be hijacked and used by potential attackers.
As a precaution, versions 6.4.3 Update 12, 6.4.6 and 7.0.1 Update 2 have a new version of bash that was patched after the exploit was found. Any firmware versions above those (including 6.4.3 Update 14, 6.4.7 and any version of 7.x.x greater than 7.0.1u2) have this unaffected bash shell included.
If you are using a firmware version older than the three listed above, it is recommended to upgrade to a newer firmware, not just for a precautionary measure, but also due to numerous feature enhancements and bug fixes that have been built into more recent firmware.