Business Products

Version

AU/iAU (ActiveUpdate)

CPM for Mac

1.1, 2.0

Deep Discovery Inspector

All

Deep Security as a Service (DSaaS)

All

Deep Security for Web Apps

2.1

Email Encryption Gateway (TMEEG)

5, 5.5

Email Reputation Service (ERS)

All

Email Security Platform for Service Providers - White Label

1.0

Full Disk Encryption (TMFDE)

5.0/3.1.3

Hosted Email Security

1.9 and 2.0

Hosted Mobile Security

1.6

HouseCall

7.1/8

InterScan for Cisco CSC-SSM

6.6

InterScan Messaging Security Suite (IMSS)

7.0/7.1

InterScan VirusWall

All

InterScan Web Security as a Service (IWSaaS)

1.9

InterScan Web Security Suite

All

ISUX

3.81

Licensing Management Portal (LMP)/Customer Licensing Portal (CLP)

All

Network VirusWall Enforcer (NVWE)

All

Officescan

All

Remote Manager

3.3

SafeSync for Business

All

ScanMail for Domino / ScanMail for IBM Domino

All

SecureCloud

3.0, 3.5, 3.6 (Cent OS)

ServerProtect for Linux

All

Threat Discovery Appliance (TDA) / Deep Discovery Inspector (DDI)

All

Threat Mitigator (TMTM)

2.58,2.6, 2.6 SP1, 2.6 SP2

TMNAS

Mobile Security for Enterprise

All

Worry-free Business Security Services

5.6

Home and Home Office Products

Version

JewelryBox

2.0, 2.1

Platinum

All

Safesync for Consumer

All

SafeSync for xSP

2.0 (Mac)

Security for Mac (TMSM)

1.5, 1.6, 2.0

Titanium for Mac

Product

Version

Required Update

Advanced Reporting Module (ARM)

1.5, 1.6

Critical Patch 4.1.2-15 for ARM 1.6

Critical Patch 3.2-33 for ARM 1.5

Data Loss Prevention Network Monitor (DLPNM)

2.0

Critical Patch for Shellshock

Interscan Messaging Security Virtual Appliance (IMSVA)

8.0, 8.2, 8.5

IMSVA 8.5 Critical Patch 16190

IMSVA 8.2 Critical Patch 17580

IMSVA 8.0 Critical Patch 15010

Interscan Web Security Virtual Appliance (IWSVA)

5.5, 5.6, 6.0 SP1, 6.5

Critical Patch 4.1.2-15 for IWSVA 6.5, 6.0SP1, 5.6 and ARM 1.6

Critical Patch 3.2-33 for IWSVA 5.5 and ARM 1.5

SafeSync for Enterprise (SSFE)

2.1, 3.1, 3.2

SSFE 3.2 SP1

Smart Protection Server (SPS)

2.5, 2.6, 3.0

Critical Patch B2192 for SPS 2.5

Critical Patch B2089 for SPS 2.6

Critical Patch B1171 for SPS 3.0

Deep Security Virtual Appliance (DSVA)

9.0

Deep Security 9.0 SP1 Patch 4

Trend Micro products and the Shellshock – Linux Bash Vulnerability (Bash Bug) [CVE-2014-6271 and CVE-2014-7169]

Product / Version includes:

Interscan Web Security Virtual ApplianceAll , ServerProtect for Microsoft Windows/Novell NetWareAll , ScanMail for ExchangeAll

Last updated: 2021/10/10

Solution ID: KA-0004519

Category: Troubleshoot

Summary

What is Shellshock?

The Shellshock Vulnerability (CVE-2014-6271) is a serious vulnerability in Bash on Linux.

According to RedHat, “A flaw was found in the way Bash (aka bourne-again shell) evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.”

There was an original fix published for CVE-2014-6271, but it proved to be incorrect and/or incomplete, so a second advisory was issued (CVE-2014-7169) to address this.

Who is impacted by Shellshock?

Because some of Trend Micro’s products are designed to run on or protect Linux-based platforms, some of these products may be affected by this vulnerability. This article contains the list of products that are affected and the recommended action to take to eliminate the risks as they are identified and corrected.

External References:

After further investigation of this vulnerability, researchers uncovered two more bugs that affect Gnu BASH parser, 'parse.y'. For more information, refer to the following KB article:

Fixed-sized redir_stack (CVE-2014-7186) and read_token_word (CVE-2014-7187) Vulnerabilities in GNU BASH parser (parse.y).

Trend Micro products that are running on Windows are not affected by the Bash Bug. Trend external servers including SaaS servers are also unaffected.

Linux, Unix, or Mac-based products that are not affected

Business Products	Version
AU/iAU (ActiveUpdate)
CPM for Mac	1.1, 2.0
Deep Discovery Inspector	All
Deep Security as a Service (DSaaS)	All
Deep Security for Web Apps	2.1
Email Encryption Gateway (TMEEG)	5, 5.5
Email Reputation Service (ERS)	All
Email Security Platform for Service Providers - White Label	1.0
Full Disk Encryption (TMFDE)	5.0/3.1.3
Hosted Email Security	1.9 and 2.0
Hosted Mobile Security	1.6
HouseCall	7.1/8
InterScan for Cisco CSC-SSM	6.6
InterScan Messaging Security Suite (IMSS)	7.0/7.1
InterScan VirusWall	All
InterScan Web Security as a Service (IWSaaS)	1.9
InterScan Web Security Suite	All
ISUX	3.81
Licensing Management Portal (LMP)/Customer Licensing Portal (CLP)	All
Network VirusWall Enforcer (NVWE)	All
Officescan	All
Remote Manager	3.3
SafeSync for Business	All
ScanMail for Domino / ScanMail for IBM Domino	All
SecureCloud	3.0, 3.5, 3.6 (Cent OS)
ServerProtect for Linux	All
Threat Discovery Appliance (TDA) / Deep Discovery Inspector (DDI)	All
Threat Mitigator (TMTM)	2.58,2.6, 2.6 SP1, 2.6 SP2
TMNAS
Mobile Security for Enterprise	All
Worry-free Business Security Services	5.6

Home and Home Office Products	Version
JewelryBox	2.0, 2.1
Platinum	All
Safesync for Consumer	All
SafeSync for xSP	2.0 (Mac)
Security for Mac (TMSM)	1.5, 1.6, 2.0
Titanium for Mac

Linux, Unix, or Mac-based products that require updates

Product	Version	Required Update
Advanced Reporting Module (ARM)	1.5, 1.6	Critical Patch 4.1.2-15 for ARM 1.6 Critical Patch 3.2-33 for ARM 1.5
Data Loss Prevention Network Monitor (DLPNM)	2.0	Critical Patch for Shellshock
Interscan Messaging Security Virtual Appliance (IMSVA)	8.0, 8.2, 8.5	IMSVA 8.5 Critical Patch 16190 IMSVA 8.2 Critical Patch 17580 IMSVA 8.0 Critical Patch 15010
Interscan Web Security Virtual Appliance (IWSVA)	5.5, 5.6, 6.0 SP1, 6.5	Critical Patch 4.1.2-15 for IWSVA 6.5, 6.0SP1, 5.6 and ARM 1.6 Critical Patch 3.2-33 for IWSVA 5.5 and ARM 1.5
SafeSync for Enterprise (SSFE)	2.1, 3.1, 3.2	SSFE 3.2 SP1
Smart Protection Server (SPS)	2.5, 2.6, 3.0	Critical Patch B2192 for SPS 2.5 Critical Patch B2089 for SPS 2.6 Critical Patch B1171 for SPS 3.0
Deep Security Virtual Appliance (DSVA)	9.0	Deep Security 9.0 SP1 Patch 4

What if my product is not listed?

If the product has not reached End-of-Support, it is most likely that Trend Micro is still analyzing the vulnerability and it’s impact on your product. As soon as the analysis is completed, the product will be added in the list.

What if I have additional questions?

For additional inquiries, contact Trend Micro Technical Support.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Trend Micro products and the Shellshock – Linux Bash Vulnerability (Bash Bug) [CVE-2014-6271 and CVE-2014-7169]

Trend Micro products and the Shellshock – Linux Bash Vulnerability (Bash Bug) [CVE-2014-6271 and CVE-2014-7169]

Product / Version includes:

Summary