Friday 26th September 2014


This is to inform you about the impact of the so-called "Shellshock" vulnerability (CVE-2014-6271, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271) on runIP.

runIP Management Station

The runIP Webserver is not affected by this vulnerability since bash is not being used.

The operating systems on Management Stations may be affected but are outside the scope of the runIP Software. Patches are available from Red Hat for Red Hat Linux.

runIP DNS/DHCP Appliances

On runIP DNS/DHCP Appliances the vulnerability might allow users with limited privileges to gain full shell access with qipadmin privileges in cases where either the runIP License Key forbids OS access, completely (very rare) or where the user's login access to the appliances is defined as "menu-only" via a corresponding role.

Since this issue is only exploitable by users that have valid runIP credentials allowing them to access runIP DNS/DHCP Appliances, we consider the impact to be limited. Nevertheless we are working on a runIP OS package that will address this vulnerability. Customers who feel they need to take immediate action can disable the appliance login access in the corresponding roles via the GUI as a workaround.

distributed by