Bash Code Injection Vulnerability Security Update

September 25, 2014
Proofpoint Staff

On Wednesday September 24, a security vulnerability in the bash command interpreter used in Linux systems was disclosed on various internet channels. This vulnerability has been identified as CVE-2014-6271 in the Common Vulnerabilities and Exposure database. CVE-2014-6271 is a flaw found in the way bash evaluates certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. This is an Internet wide vulnerability that affects everyone with Internet facing applications using recent versions of Linux and is not limited to Proofpoint. More information on this vulnerability can be found here and here.

A second vulnerability was identified later in the day. According to Redhat, patches shipped for CVE-2014-6271 vulnerability are incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been identified as CVE-2014-7169 as in the Common Vulnerabilities and Exposure database. More information can be found here.

Proofpoint immediately began to assess which products are impacted and has released emergency patches to secure them against both vulnerabilities.

The following Proofpoint services and products have been patched:

  • Proofpoint Enterprise Protection and Privacy (PPS) versions 6.3, 7.0.2, 7.1, 7.2 and 7.5
  • Proofpoint On Demand (PoD) services
  • Proofpoint Targeted Attack Protection
  • Proofpoint Secure Share and Cloud Based Smart Search
  • Proofpoint Essentials services
  • Proofpoint Enterprise Archive and Governance services

Proofpoint has released hotfixes for Sentrion versions 4.2.x, and 4.3.x. Please visit the Sendmail customer portal for hotfix download instructions.

Customers with physical and virtual appliance deployments of PPS 6.3, 7.0.2, 7.1, 7.2 and 7.5 on their premises with patch auto deploy turned ON: No action is required from customers.

Customers with physical and virtual appliance deployments of PPS 6.3, 7.0.2, 7.1, 7.2 and 7.5 on their premises with patch auto deploy turned OFF: Customers have been notified to apply the applicable patches by following the steps below.

  • Go to your Proofpoint Admin Console GUI
  • Navigate to System - Licenses and Updates - General
  • Click the Checkbox on the left-hand side next to the patch
  • Click the Apply Update(s) button on the menu

Customers with physical and virtual appliance deployments of PPS 6.3, 7.0.2, 7.1, 7.2 and 7.5 on their premises: Customers running PPS software on their own hardware should patch their operating systems.

Customers using Proofpoint on Demand services, Proofpoint Targeted Attack Protection, Proofpoint Secure Share, Proofpoint Essentials and Proofpoint Enterprise Archive and Governance services: No action is required from customers. We are closely monitoring this issue and will provide updates as they become available.

Keeping your data secure is our top priority. If you have any additional questions or concerns, please contact Proofpoint Support.

Sincerely,
Proofpoint Inc.