Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Fixed-sized redir_stack (CVE-2014-7186) and read_token_word (CVE-2014-7187) Vulnerabilities in GNU BASH parser (parse.y)

    • Updated:
    • 26 Oct 2015
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security for Web Apps 2.0
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Web Security Virtual Appliance 5.5
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • Smart Protection Server 3.0
    • Platform:
    • Linux - Red Hat RHEL 3 32-bit
    • Linux - SuSE 10
    • Macintosh iOS 3.x
    • Unix - Solaris (Sun) version 10 (SunOS 5.10)
Summary

After further investigation of the Shellshock vulnerability, vulnerability researchers uncovered two more bugs that affect Gnu BASH parser, 'parse.y'.

What are these Vulnerabilities?

According to the National Vulerability Database, the Bash parser 'parse.y' is affected by the following vulnerabilities:

Fixed-sized redir_stack issue (CVE-2014-7186)

"The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue."

Read_token_word (CVE-2014-7187)

"Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue."

Who are affected?

Similar to Shellshock, some of Trend Micro products that are designed to run on or protect Linux-based platforms, may be affected by this vulnerability. This article contains the list of products that are affected and the recommended action to take to eliminate the risks as they are identified and corrected.

Additional References

Details
Public

Trend Micro products that are running on Windows are not affected by this Vulnerability. Trend external servers including SaaS servers are also unaffected. 

Trend Micro Linux, Unix, or Mac-based products that are not Affected

Business ProductsVersion
Deep Security as a ServiceAll
Safesync for BusinessAll

 

Home and Home
Office Products
Version
SafesyncAll

Linux, Unix, or Mac-based products that require updates

ProductVersionRequired Update
PendingPendingPending

What if my product is not listed?

If the product has not reached End- of-Support, it is most likely that Trend Micro is still analyzing the vulnerability and it’s impact on your product. As soon as the analysis is completed, the product will be added in the list.

What if I have additional questions?

For additional inquiries, contact Technical Support.

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1105352
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.