Shellshock is forcing companies to assess the potential impact to its products and Cisco compiled a list of 31 products vulnerable to the hole.
On the list of devices that can end up abused using the flaw in Bash, Cisco included products designed for network protection, connection routing, network management, voice and unified communications, as well as devices for collaboration and media content delivery and encoding.
Among them are Cisco IronPort Encryption Appliance, Cisco GSS 4492R Global Site Selector, Cisco Mobility Services Engine, Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500, Cisco Finesse, MediaSense, and Cisco TelePresence Serial Gateway Series.
The product line from Cisco is still under scrutiny in order to determine other solutions that could end up affected by the bug.
Cisco assessed the Bash bug’s severity using the latest version of the Common Vulnerability Scoring System (CVSS) and assigned a base score of 7.5 because the impact on its products is only partial.
The CVSS score for Shellshock is 10 out of 10, having gained maximum points because of its complete impact on a system and easy exploitation.
“The impact of this vulnerability on Cisco products varies depending on the affected product. Successful exploitation of the vulnerability may allow an unauthenticated attacker to run commands from the Bash shell,” Cisco said in a security advisory.
Software updates mitigating the risk of compromise through Shellshock are available by the company, and customers should check with their maintenance providers for compatibility issues before deploying the fixes.
Oracle is also facing trouble from Shellshock, initially listing 32 of its products as being vulnerable to the bug. In the meantime, the company changed the list and appended new products; it also included new ones on the list of solutions that benefit from a patch.
Shellshock ended up disclosed September 24 and some industry researchers believe it could be a bigger problem than Heartbleed.
Applying the latest patches from the developers should be a priority for anyone with a vulnerable version of the Bash command interpreter for Linux. Several fixes ended up developed and delivered to clients through updates because the first attempts to eliminate the glitch failed and opened the door for other exploitation methods.