Lucene search

K
ibmIBM2C836F9CF112063B46AB27968F0F45F13141F45BAA0BB984E47B1D31ECA4B374
HistoryJun 16, 2018 - 9:59 p.m.

Security Bulletin: IBM Security Network Protection is affected by Vulnerabilities in GNU Bash

2018-06-1621:59:32
www.ibm.com
26

EPSS

0.016

Percentile

87.3%

Summary

Security vulnerabilities have been discovered in GNU Bash, which is used by IBM Security Network Protection. IBM Security Network Protection has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2016-0634**
DESCRIPTION:** GNU Bash could allow a local attacker to execute arbitrary code on the system, caused by an error related to the expansion of the $HOSTNAME. By injecting the hostname with malicious code, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121373 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-7543**
DESCRIPTION:** GNU Bash could allow a local attacker to execute arbitrary commands on the system. An attacker could exploit this vulnerability using specially crafted SHELLOPTS and PS4 variables to execute arbitrary commands on the system with root privileges.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121372 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-9401**
DESCRIPTION:** GNU Bash could allow a local attacker to bypass security restrictions, caused by a use-after-free error. An attacker could exploit this vulnerability using a specially crafted address to bypass the restricted shell.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122314 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Security Network Protection 5.3.1
IBM Security Network Protection 5.3.3

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Security Network Protection| Firmware version 5.3.1| Download Firmware 5.3.1.14 from IBM Security License Key and Download Center and upload and install via the Available Updates page of the Local Management Interface.
IBM Security Network Protection| Firmware version 5.3.3| Download Firmware 5.3.3.4 from IBM Security License Key and Download Center and upload and install via the Available Updates page of the Local Management Interface.

Workarounds and Mitigations

None