Hello all,
There is a security alert that you may have seen called Shellshock - http://www.bbc.com/news/technology-29375636
Does Alcatel have a list of prducts that are impacted by this shellshock security vulnerability?
To check you're system for this Shellshock vulnerability - https://www.digitalocean.com/community/ ... nerability
I checked on our Alcatel OmniPCX Enterprise and found it to be vulnerable to Shellshock.
Thank you,
Cheesecake
Shellshock Security Alert & Alcatel products
-
cheesecake
- Member
- Posts: 6
- Joined: 25 Jun 2012 17:05
-
cavagnaro
- Alcatel Unleashed Certified Guru
- Posts: 7014
- Joined: 14 Sep 2005 19:45
- Location: Brasil, Porto Alegre
- Contact:
Re: Shellshock Security Alert & Alcatel products
It is for all Linux Based software. Which is a lot. No fix has been released by anyone yet, even those launched have workarounds too and are still exploitable.
Ignorance is not the problem, the problem is the one who doesn't want to learn
OTUC/ICS ACFE/ACSE R3.0/4.0/5.0/6.0
Certified Genesys CIV 8.5
Certified Genesys Troubleshooting 8.5
Certified Genesys BEP 8.x
Genesys Developer
OTUC/ICS ACFE/ACSE R3.0/4.0/5.0/6.0
Certified Genesys CIV 8.5
Certified Genesys Troubleshooting 8.5
Certified Genesys BEP 8.x
Genesys Developer
-
sylvainsjc
- Member
- Posts: 15
- Joined: 05 Jun 2008 08:06
Re: Shellshock Security Alert & Alcatel products
ACSE OmniTouch CCIVR (2014/05)
ACSE OmniPCX Enterprise R11 (2013/12)
ACSE OmniTouch Contact Centers Standard Edition (2013/11)
ACSE OmniPCX Enterprise R10 (2012/06)
ACSE OmniTouch Contact Centers Outbound R10 (2011/06)
ACSE OmniPCX Enterprise R11 (2013/12)
ACSE OmniTouch Contact Centers Standard Edition (2013/11)
ACSE OmniPCX Enterprise R10 (2012/06)
ACSE OmniTouch Contact Centers Outbound R10 (2011/06)
-
cavagnaro
- Alcatel Unleashed Certified Guru
- Posts: 7014
- Joined: 14 Sep 2005 19:45
- Location: Brasil, Porto Alegre
- Contact:
Re: Shellshock Security Alert & Alcatel products
Um.....I have seen many patches but are more workarounds. Hope this one is a patch itself.
Ignorance is not the problem, the problem is the one who doesn't want to learn
OTUC/ICS ACFE/ACSE R3.0/4.0/5.0/6.0
Certified Genesys CIV 8.5
Certified Genesys Troubleshooting 8.5
Certified Genesys BEP 8.x
Genesys Developer
OTUC/ICS ACFE/ACSE R3.0/4.0/5.0/6.0
Certified Genesys CIV 8.5
Certified Genesys Troubleshooting 8.5
Certified Genesys BEP 8.x
Genesys Developer
-
cavagnaro
- Alcatel Unleashed Certified Guru
- Posts: 7014
- Joined: 14 Sep 2005 19:45
- Location: Brasil, Porto Alegre
- Contact:
Re: Shellshock Security Alert & Alcatel products
And there is ICS, teamwork, omnivista, etc that also have Linux as core.
Ignorance is not the problem, the problem is the one who doesn't want to learn
OTUC/ICS ACFE/ACSE R3.0/4.0/5.0/6.0
Certified Genesys CIV 8.5
Certified Genesys Troubleshooting 8.5
Certified Genesys BEP 8.x
Genesys Developer
OTUC/ICS ACFE/ACSE R3.0/4.0/5.0/6.0
Certified Genesys CIV 8.5
Certified Genesys Troubleshooting 8.5
Certified Genesys BEP 8.x
Genesys Developer
Re: Shellshock Security Alert & Alcatel products
i think as a first action we have to think about the question... how can a possible atacker take benefit of this vulnerability...
these are mainly on linux system (like described here -> https://www.digitalocean.com/community/ ... nerability)
- Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
- Certain DHCP clients
- OpenSSH servers that use the ForceCommand capability
- Various network-exposed services that use Bash
so for oxe you can implement trusted hosts feature and/or better set it in a server-network area behind a firewall to minimize the risk. also the webserver can be deactivated on machines with newer releases.
for the other machines that use red hat linux as a base i can ask the question again and again.... why doesnt alcatel use the distributers packages for apache and tomcat... if this can be realized the red hat patches (or workarrounds like cav say
) can be used to be "up to date in security terms"....
regards...
these are mainly on linux system (like described here -> https://www.digitalocean.com/community/ ... nerability)
- Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
- Certain DHCP clients
- OpenSSH servers that use the ForceCommand capability
- Various network-exposed services that use Bash
so for oxe you can implement trusted hosts feature and/or better set it in a server-network area behind a firewall to minimize the risk. also the webserver can be deactivated on machines with newer releases.
for the other machines that use red hat linux as a base i can ask the question again and again.... why doesnt alcatel use the distributers packages for apache and tomcat... if this can be realized the red hat patches (or workarrounds like cav say
) can be used to be "up to date in security terms"....regards...
--- back to basics... focus your eyes to the essential things... ---
Re: Shellshock Security Alert & Alcatel products
env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION=()=() { :;};
; echo Bash is vulnerable!' bash -c "echo Bash Test"
for oxe the output
Bash is vulnerable!
Bash Test
no use of the web http (4760i) for management and maintenance 'ouf'
let us see for faxserver !!
; echo Bash is vulnerable!' bash -c "echo Bash Test"
for oxe the output
Bash is vulnerable!
Bash Test
no use of the web http (4760i) for management and maintenance 'ouf'
let us see for faxserver !!
Re: Shellshock Security Alert & Alcatel products
OFS ALSO
Bash is vulnerable!
Bash is vulnerable!
Bash Test.
WONDERFULL !
Bash is vulnerable!
Bash is vulnerable!
Bash Test.
WONDERFULL !
Re: Shellshock Security Alert & Alcatel products
is anyone here sucessful in hacking the bash through the webserver? 
--- back to basics... focus your eyes to the essential things... ---
Re: Shellshock Security Alert & Alcatel products
thanks god i haven't public adresses for oxe and ofs , and we have good guys for lan security
