Security

Is WinCC OA affected by the “shellshock” vulnerability?

This vulnerability is also called bash bug / bash door in combination with unix bash (Linux/Solaris).

The “Shellshock” vulnerability arises from the fact that a user can create environment variables with specially crafted values ​​before calling the bash shell. These variables can contain code that is executed once the shell is called, which poses a potential security issue.

An overall description of this vulnerability can be viewed here: http://en.wikipedia.org/wiki/Shellshock_(software_bug)

Since WinCC OA does NOT contain any services/managers that get environment variables from a remote machine, setting the content and starting subprocesses with a bash is not affected by this vulnerability..

Official information/references of Siemens industry can viewed here:

Industrial-Security

http://www.industry.siemens.com/topics/global/en/industrial-security/news-alerts/Pages/alerts.aspx

Product-Cert

http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-860967.pdf