BASH Bug (a.k.a. ’Shellshock Bug’) Vulnerability Tested on eMerge e3 Series

MikeLaurel | November 5, 2014
Technical Bulletins

BASH Bug (a.k.a. ’Shellshock Bug’) Vulnerability Tested on eMerge e3 SeriesThe Bash Bug / Shellshock Bug is a vulnerability that potentially affects most versions of the Linux® and Unix® operating systems and can have an adverse effect on some versions of Linux and UNIX that utilize the Bash programming component.

Linear’s e3-Series eMerge system, which utilizes an embedded Linux operating system for its access control system and modules, has been tested for vulnerability and has been determined that it is not at risk to the Bash Bug / Shellshock Bug, for the following reasons:

  • The e3-Series eMerge runs an embedded version of Linux that does not use Bash, but instead uses BusyBox. Devices running BusyBox have been cleared as not vulnerable to the Bash Bug / Shellshock Bug.
  • Additionally, Linear has performed tests on its e3-Series eMerge
    to check for vulnerability to the Bash Bug / Shellshock Bug using a script designed specifically for this purpose by Red Hat® and the test validated that the e3-Series is not susceptible to this bug. (Red Hat is the developer of the Linux open source operating system.)

Additional Technical Information

Following is a link to script for evaluating Bash Bug / Shellshock Bug vulnerability from Red Hat:

Additional Information about the Bash Bug / Shellshock bug can be found on Symantec’s website. Below are a few excerpts that pertain to the Bash Bug / Shellshock Bug and the Linear E3-Series eMerge Access Control system:

  • “The vulnerability affects Bash, a common component known as a shell that appears in many versions of Linux and UNIX. Bash acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.”
  • “For a successful attack to occur, an attacker needs to force an application to send a malicious environment variable to Bash.”
  • “…many newer devices run a set of tools called BusyBox which offers an alternative to Bash. Devices running BusyBox are not vulnerable to the Bash Bug.”

Reference: about-bash-bug-vulnerability

PDF: TB2014-005