A vulnerability has been discovered in the bash command shell that allows remote command execution. An unauthenticated remote user can craft a request to the Opengear's embedded web service to run arbitrary shell commands.
Firmware that fixes the vulnerability for all current and legacy products has been released, we recommend upgrading firmware immediately.
- To upgrade using the Web Management UI: https://opengear.zendesk.com/entries/22275692-Upgrading-firmware-from-the-Web-Management-UI
- To upgrade using the CLI: https://opengear.zendesk.com/entries/22271241-Upgrading-firmware-from-the-command-line-CLI
If you are unable to upgrade at this time, follow the mitigation instructions from the earlier notification: https://opengear.zendesk.com/entries/55865559-CVE-2014-6271-aka-shellshock-Opengear-products-are-affected-please-disable-HTTP-and-HTTPS-Web-Manage
Please update to version:
- 3.12.1 or later (ACM5000, ACM5500, CM4100, IM4200, IM7200), available at: http://ftp.opengear.com/download/release/current/
- 3.9.3 or later (SD4002, IM(G)4004-5, KCS6100), available at: http://ftp.opengear.com/download/release/current/
- 3.8.3 or later (CM4001, CM4008, SD4008), available at: http://ftp.opengear.com/download/release/current/
If you are also running Lighthouse or CMS, please update to version:
- 4.5.2 or later (Lighthouse), available at: http://ftp.opengear.com/download/release/lighthouse/
- 3.11.3 or later (CMS), available at: http://ftp.opengear.com/download/release/cms/