Posted on September 26, 2014 2:41 pm
 |  Asked by Christopher Cupples
 |  3773 views
RESOLVED
0
0
Print Friendly, PDF & Email

Reference:

Arista# show version | include image
Software image version: 4.12.8.1
Arista# show version detail | include bash 
bash 4.1.7 4.fc14 
Arista# bash env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable this is a test
0
Posted by Andrei Dvornic
Answered on September 26, 2014 3:16 pm

Hi Christopher,

We are very much aware of this issue and we will issue a security advisory very soon at @ https://www.arista.com/en/support/security-advisories. Thank you for your patience!

1
Posted by Mark Berly
Answered on September 30, 2014 8:31 pm

The formal advisor as well as information on how to mitigate this issue in Arista EOS is now formally posted at:

https://www.arista.com/en/support/security-advisories/1008-security-advisory-0006

Shell command Bash code injection vulnerability (CVE-2014-6271, CVE-2014-6278, and CVE-2014-7169)

On September 24th, Arista became aware of a vulnerability affecting all versions of the bash package shipped with Arista EOS. The bash code injection vulnerability could allow for arbitrary code execution, allowing an attacker to gain shell access.

Arista switches are only vulnerable to administrators with current access to the switch CLI. The switch is not vulnerable to remote attack.

A software patch (RPM extension) is available for download. In addition currently supported versions of EOS will receive an updated version with the fixes for this vulnerability. Currently supported versions of EOS include 4.9 through 4.14.

Please see the full advisory for further details: https://www.arista.com/en/support/security-advisories/1008-security-advisory-0006

Post your Answer

You must be logged in to post an answer.