File Share Encryption

So all SEMS are affected by the Shellshock vulnerability as noted here: http://seclists.org/oss-sec/2014/q3/650

Any news on when Symantec will release a hotfix to patch bash?

Engineering and Security are working on it, and I will try to update this thread as soon as I know more.

Security released the following blog post as well, which will be updated with more information as it becomes available:
http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability

As we are still awaiting for the official information related to Shellshock currently the BASH code version used by SEEMS is vulnerable however server is NOT vulnerable as there is no unauthenticated remote exploitation possible.

For a short term fix you should able to install the rpm from Centos manually, by SSH into the Server and transfer the rpm by SCP.

Source: http://mirror.centos.org/centos/5/updates/i386/RPMS/bash-3.2-33.el5.1.i386.rpm

On the subject of CVE-2014-6271..... here is a two-minute video, highly recommended:

Shellshock: A High Level Overview of the Bash Bug Vulnerability
https://www.youtube.com/watch?v=XIsUWwJaOeU&feature=youtu.be

"Jonathan Omansky - Director, Security Response Operations, talks at a high level about the “ShellShock" or "Bash Bug" vulnerability. Jonathan discusses what it is, what the Bash vulnerability could allow and what can you need to do if you are running a system that is vulnerable."

With thanks and best regards,

Mick

Hi Alex and all,

None of the Symantec Encryption products are vulnerable to the BASH ("ShellShock") vulnerability. There is now an external KB article that is available publicly. See http://www.symantec.com/docs/TECH225009.

If you have any questions, please let me know.

Thanks!
...sue

Manager, Info Dev
Symantec Corp

Is it true that the servers are NOT vulnerable? Even through the web management interface with a modified user agent header?

See the KB article that I posted below. The servers are not vulnerable. Access to the server requires authentication.

Thanks!
...sue

See below:
http://www.symantec.com/docs/TECH225009

I believe if you do this manually yourself you will void your warranty and maintenance contract. Please check with your administrators and Symantec support personnel before attempting to apply any updates yourself.

Thanks!

...sue

To keep you all updated... There are three new CVE vulnerabilities identified with regards to the BASH/ShellShock vulnerability, and the Symantec Encryption Management Server is still NOT vulnerable. The KB article has been updated with their references (see http://www.symantec.com/docs/TECH225009). The four CVE numbers are:

CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
 

Thanks!
...sue

These answers are not confirming or laying out much of anything. Specifically once again, is the Symantec messaging Gateway affected? When will a patch be released if it is. The answer of, it's being researched has been up for weeks. Most of our other vendors have been very forthcoming about it, either it is, it isn't or it may be and we are working on it (with updates to show that). These feels stagnant, old and very much lazy.

can you provide a list of things affected and things not like many other vendors have had to do? I'm sure it's work, but it's required with this sort of thing int he wild and when running appliances which everyone knows is running a .nix flavor. It should be a pretty easy, yes it is affected by the bug but we aren't sure of the scope and here's a patch or work around if you aren't certain just how it might be affected. Come on guys, lets get some useful information out there.