Bash "Shell Shock Vulnerability" in the Dell Data Protection Virtual Edition

Affected Products:

• Dell Data Protection | Virtual Edition

Affected Versions:

• v9.2 and Earlier

Test for this vulnerability by running the following command from a bash shell prompt:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the word vulnerable appears in the output, then the machine is vulnerable to the exploit.

Even with the vulnerability, an attacker must be able to access a specific port on the VE server to use the exploit.

It is best a practice that the Dell Data Protection | Virtual Edition server is not Internet facing, but rather the proxy services be used for Internet facing requirements.

If Dell Data Protection | Virtual Edition is not Internet facing, the ShellShock issue could not be exploited outside the organization.

Older versions of Dell Data Protection | Virtual Edition are susceptible to an exploit in the bash shell described in Ubuntu Security Notice USN-2362-1, commonly referenced as the Shell Shock Vulnerability.

Issue Parameters:

• Dell Data Protection | Virtual Edition console and SSH server uses the bash shell, which can be exploited by passing trailing code to a bash shell and gaining unauthorized access to the command environment.
• This vulnerability is not present in the Dell Data Protection | Encryption Pre-Boot Authentication (PBA) software such as Self-Encrypting Drive (SED) management nor Hardware Encryption Accelerator (HCA) used for authenticating clients.

The issue has been resolved in Dell Data Protection | Virtual Edition v9.3 and later.

To correct this issue:

1. Open the Virtual Edition remote desktop console.
2. Choose the Launch Shell option from the Main Menu and follow these steps:
3. Type the command: su ddpsupport
4. Press the Enter key.
5. When prompted, enter the password set for the ddpsupport user.
6. There is an update prompt that starts with ddpsupport@.
7. Type the command: sudo apt-get update
   • This command contacts the Ubuntu update servers using the Internet and requests the relevant updates required.
8. Type the command: sudo apt-get install bash

After the update is complete, confirm that the update resolved the vulnerability by testing again.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

More Reference Material

CVE-2014-6271 on the NIST website