Security
Is WinCC OA affected by the “shellshock” vulnerability?
This vulnerability is also called bash bug / bash door in combination with unix bash (Linux/Solaris).
The “Shellshock” vulnerability arises from the fact that a user can create environment variables with specially crafted values before calling the bash shell. These variables can contain code that is executed once the shell is called, which poses a potential security issue.
An overall description of this vulnerability can be viewed here: http://en.wikipedia.org/wiki/Shellshock_(software_bug)
Since WinCC OA does NOT contain any services/managers that get environment variables from a remote machine, setting the content and starting subprocesses with a bash is not affected by this vulnerability..
Official information/references of Siemens industry can viewed here:
Industrial-Security
http://www.industry.siemens.com/topics/global/en/industrial-security/news-alerts/Pages/alerts.aspx
Product-Cert
http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-860967.pdf