Messaging Gateway

As messgaing gateway is based on RedHat Enterprise Linux, is it affected by CVE-2014-6271?  The bash installed obviously has the flaw but is it exposed via the smtp daemon?

see this blog

https://www-secure.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability

This doesn't mention messaging gateway, timelines for brightmail patches or if it's externall vulnerable

As the blog post states, "While the vulnerability potentially affects any computer running Bash, it can only be exploited by a remote attacker in certain circumstances." The Messaging Gateway does not have any of these attack vectors exposed, so it is doubtful that this is an issue that can effect it. We don't currently have any statements on when this will be patched.

"Thumbs up" to TSE-JDavis.

On the general subject of this vulnerability.... here is a two-minute video, highly recommended:

Shellshock: A High Level Overview of the Bash Bug Vulnerability
https://www.youtube.com/watch?v=XIsUWwJaOeU&feature=youtu.be

"Jonathan Omansky - Director, Security Response Operations, talks at a high level about the “ShellShock" or "Bash Bug" vulnerability. Jonathan discusses what it is, what the Bash vulnerability could allow and what can you need to do if you are running a system that is vulnerable."

With thanks and best regards,

Mick

What about the possibility of crafting special SMTP data that could leverage the vulnerability ?

So the Messaging Gateway is vulnerable, or no? My customer bought a Messaging Gateway, not a Redhat Linux. They want to know, Symantec will make a patch? They need to do something now?

10.5.2-3 seems to be affected:

[support@smg ~]$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test
[support@smg ~]$

 

This situation regarding the "Shellshock" family of bash flaws is very fluid right now and there is still research being done on the breadth and impact of these flaws. As such, patches/updates that have come out have been insufficient and require new patches/updates; so the question of whether or not something has been patched becomes a bit confusing.

On top of the patch confusion, as mentioned earlier, being vulnerable to these flaws does not mean that the flaws are exploitable. At the base of it, taking advantage of these flaws as a basic Linux user account will provide no more access than that user already has.

If there are any questions regarding the impact of the "Shellshock" family of vulnerabilities on Symantec Messaging Gateway, please open a case with support for the latest information.

is there is a new patch or update avaiable to fix shellshock for the SMG

This issue has been addressed in Symantec Messaging Gateway version 10.5.3

Thanks

Hi Davis,

 

Quick check if there's any KB created or notifcation sent to customer for this.

 

Thanks