IP OFFICE IP/VPN Sets and BASH Virus

[fedphone]

customer is asking me if his IP OFFICE and/or the IP/VPN sets are vunerable to the BASH Virus....

im wanting to say NO - but that nagging voices says "check with someone"

I would say that since we are behind the FW - we are as vunerable as anything else behind hte FW

What say you?

 

[intrigrant]

It is not a virus, it is a leak in the Linux Bash shell and no, the phones itself do not have that problem because they don't have a Bash shell.
If the VPN server is Linux based and the shell is accessible from the internet then I don't know, depends on the activated commands in the shell.

 

[sizbut]

Wait. The sheer range of Linux based server products Avaya has means that it would be pointless

Stuck in a never ending cycle of file copying.

 

[intrigrant]

pointless?? what?
Check the OS manufacturer i.e. Red Hat or CentOS sites for patches or solutions on this.
Red Hat discovered the problem so at least they must have a update for it.

 

[sizbut]

Sorry, hit return at the wrong time and then got lost looking at other sites!

...pointless looking for actual vulnerabilities on any particular product and quicker to just assume that any Linux based server needs patching when the patch is released.

The CERT site list Avaya as having been officially informed of the problem on the 25th.

Stuck in a never ending cycle of file copying.