Kerio Software affected by ShellShock, if running on Linux please update your OS

Summary
Edit Text

The shellshock vulnerability (aka CVE-2014-6271 and CVE-2014-7169) is a security bug affecting Unix-like operating systems through the bash shell. Many Linux distributions, and Mac OS X include the affected GNU Bash version. An attacker can exploit the vulnerability via remote shell access, or through any application that may execute bash scripts. The vulnerability could allow a remote attacker to execute arbitrary code.

Impact on Kerio Products
Edit Text

Kerio Control does not include the Bourne-Again shell (Bash) and is not affected by this vulnerability. All Linux systems in the Samepage infrastructure are up to date and are not vulnerable. Kerio Operator (all editions) and Kerio Connect Virtual Appliance include the affected Bash version within the underlying operating system. However, they do not pass user-supplied data into the Bash environment and therefore cannot be misused by an attacker.

Next Steps
Edit Text

Samepage

No action necessary. All Linux systems in the Samepage infrastructure are up to date.

Kerio Control (All Editions / Versions)

No action necessary. The affected Bourne-Again shell (Bash) is not implemented in Kerio Control.

Kerio Operator (Virtual Appliance, Software Appliance, and Box Editions)

Operator (up to version 2.3.2) has the affected Bash shell and the vulnerability is exploitable via DHCP if the attacker has access to the local network. We will release a patch version early next week (ie. week starting 2014-09-29).

Kerio Connect (Virtual Appliance, Linux, and Mac OS X)

We recommend installing the appropriate operating system updates to fix this vulnerability on the operating system level. This is highly encouraged if there are other services on the same server (beside Kerio Connect). This is valid for all Linux and Mac OS X distributions. Use the default updating mechanism in your operating system to get the latest updates. Make sure you are running the latest distribution version, which receives a security update for this vulnerability. For Debian (read more) and Ubuntu  (read more) use “sudo apt-get update” and “sudo apt-get upgrade” commands, for CentOS  use “sudo yum update” (read more). Users with Kerio Connect Virtual Appliance may need to modify server configuration to get latest updates (see below). On OS X use default “Software Update” application.