BASH SHELL ARBITRARY CODE EXECUTION ON VARIOUS POLYCOM PRODUCTS
Two vulnerabilities in the GNU Bash shell allow for the execution of arbitrary code. Note that a partial fix was enacted to address the first vulnerability in the GNU Bash shell that inadvertently produced its own vulnerability. Both vulnerabilities involve the processing of environment variables and/or their values.
- Severity
-
Critical
- Advisory ID
-
PLYGN14-08
- Initial public release
-
10/24/14
- Last update
-
30/8/2022
- Category
-
Poly
Summary
This information would apply only to all Polycom products that incorporate a Bash shell. At this point, Polycom is conducting research to determine the level of vulnerability (if any) for its various products. Such information will be forthcoming. Any information in this bulletin is subject to change. Please Note: This is a living document, updated regularly until any product affected by any of the vulnerabilities in this bulletin has been repaired against that vulnerability.
-
CVE-2014-6271, aka “Shellshock” In all versions of GNU Bash through 4.3, an exploit of environment variable mechanics allows the attacker to bypass or override environmental restrictions and run arbitrary code.
-
CVE-2014-7169 GNU Bash versions 4.3 bash43-025 and prior process environment variable values in a way that allows trailing strings to be added by an attacker, thus allowing the execution of arbitrary code.
Resolution
Insert the Solution section information here.
As fixes become available for a given product, that information will appear in this bulletin in subsequent releases. Polycom will continue updating this bulletin until all fixes are in place. Polycom recommends that users of any Polycom product listed in the table above as being vulnerable update to the “FIXED” version of their product as soon as such a version becomes available.
Affected products
Note that products in this table are the products whose vulnerability status can be spoken to at this time – to the positive or the negative. Products not listed in this chart should be considered under investigation.
|
Product |
Firmware |
Fix |
|---|---|---|
|
CloudAXIS Experience Portal/Service Portal |
|
|
Revision history
This document has been revised according to the following information.
|
Version |
Description |
Date |
|---|---|---|
|
Revision 1.0 |
09/25/14 |
|
|
Revision 1.1 |
09/29/14 |
|
|
Revision 1.5 |
N/A |
|
|
Revision 1.7 |
N/A |
|
Additional information
Follow these links for additional information.
- Third-party security patches
-
Third-party security patches that are to be installed on systems running Poly software products should be applied in accordance with the customer's patch management policy.
- Contact
-
Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Poly Technical Support – (888) 248-4143, (916) 928-7561, or visit the Poly Support Site.
- Security bulletin archive
-
To view released Security Bulletins, visit https://support.hp.com/security-bulletins.
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
Legal information
©2022 Plantronics, Inc. All rights reserved.
TrademarksPoly, the propeller design, and the Poly logo are trademarks of Plantronics, Inc. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Poly.
DisclaimerWhile Poly uses reasonable efforts to include accurate and up-to-date information in this document, Poly makes no warranties or representations as to its accuracy. Poly assumes no liability or responsibility for any typographical errors, out of date information, or any errors or omissions in the content of this document. Poly reserves the right to change or update this document at any time. Individuals are solely responsible for verifying that they have and are using the most recent Technical Bulletin.
Limitation of LiabilityPoly and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Poly and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive, or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Poly has been advised of the possibility of such damages.
Enter a topic to search our knowledge library
What can we help you with?
Need Help?