Mitigation for B

October 10, 2014
VITEC Mitigation for Bash Vulnerability shellshock
On September 24, 2014 details of a major vulnerability in the widely used Bourne Again Shell
(Bash) were announced by multiple Linux vendors. The vulnerability, labeled by MITRE with the
code CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186,
and CVE-2014-7187 exists in most publicly available versions of Bash and is related to the way
environment variables are processed when the shell starts up.
This type of variables are used for storing pieces of information such as the location of the
user’s home directory but also allow storing shell functions in variables that users can later
invoke. It’s in parsing these functions that the new vulnerability exists, as the shell mistakenly
executes code that is added after a function definition – process during which the system or
information stored in the system may get compromised.
VITEC conducted a comprehensive review of the implications of this vulnerability on its products
running a Linux operating system. While most of our products were confirmed to have no effect
from this new discovery, several of our products were found to include a vulnerable version of
Bash. Appendix A details information about these findings.
VITEC is committed to maintaining its products in accordance with the highest security standards
and to provide a resolution for any major vulnerability issue in the form of a critical update. We
are working hard on a maintenance release that includes a fix for the vulnerability to be provided
at no charge as part of the Silver, Gold or Platinum support contracts.
For more information about the effect of the Bash vulnerability on VITEC/Optibase products on
your network and about the process of updating your specific version of IPTV systems please
contact the VITEC Support Team at http://www.vitec.com/support/support-portal
Regards,
Eli Garten
VP Product Management
VITEC
http://www.vitec.com
Appendix A
Category
Blade
Systems
Portable
Encoders and
Decoders
Video Distribution
and
Management
Product
Vulnerable
Status
MGW 1000
MGW 1100
MGW 5100
MGW Prism
MGW Transcoder
Cluster Manager Server
MGES 5200 MPEG-2 Blade
MGES 5610 H.264 SD Blade
MGES 6000 H.264 HD/SD Blade
No
No
No
No
No
No
No
No
No
No action required
MGW Micro
MGW Pico
MGW Nano
MGW Nano TOUGH
MGW Premium Encoder
MGW Premium Decoder
MGW Sprint Encoder
MGW Sprint Decoder
MGW 200
MGW 230
MGW 240
MGW Alpha
MGW D265
Amino 125 STB (VITEC firmware)
Amino 130 STB (VITEC firmware)
Amino 140 STB (VITEC firmware)
Amino 140H STB (VITEC firmware)
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No action required
EZ TV Portal Server
EZ TV VOD Server
EZ TV VOD Pro Server
EZ TV VOD RTSP Server
EZ TV VOD RTSP Pro Server
EZ TV VOD RTSP NG Server
Proxsys MAM
Monisys MAM
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
http://www.vitec.com
No action required
Apply Critical Update