Is WinCC Open Architecture affected by the “shellshock” vulnerability?

This vulnerability is also called bash bug / bash door in combination with unix bash (Linux/Solaris).
The “shellshock” vulnerability arises from the fact that a user can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked, which is a potential security issue.

An overall description of this vulnerability can be viewed here: http://en.wikipedia.org/wiki/Shellshock_(software_bug)

Since WinCC OA does NOT contain services/managers, which get environment variables from remote, setting the content itself afterwards and starting sub-processes with a bash, it is not affected by this vulnerability.

Official information/references of Siemens industry can viewed here:

Industrial-Security<o:p></o:p>

http://www.industry.siemens.com/topics/global/en/industrial-security/news-alerts/Pages/alerts.aspx<o:p></o:p>

Product-Cert<o:p></o:p>

http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-860967.pdf<o:p></o:p>

Date added:
Last revised:
Hits:
8.275
Rating:
  • Current rating is 3.6 out of 5
Rating: 3.6. 46 vote(s).
46 anonymous votes No rating done at all.
Your vote was '' (0 of 5) You are an anonymous user.
You may log on to do personalized votings
 Click the rating bar to rate this item Please log on to do ratings

  • Notification

    FE user cannot be identified! (1403201096)

 go back