Tellabs OLAN and CVE-2014-6271(Shellshock) Vulnerability
Introduction
Document Number
ENG-010451
Purpose
This application note addresses Tellabs OLAN and the CVE-2014-6271 Vulnerability that was placed on the National Cyber Awareness System on Sept 24, 2014. The Tellabs OLAN system is not vulnerable to this exploit and this document will outline why it is not a threat for any of the components of the Tellabs OLAN system.
 |
Note: While Tellabs is not directly susceptible to the Shellshock vulnerability directly, a similar command injection style of attack has been reported and fixed and CVE-2019-19148 should be consulted to ensure that the system is properly updated to protect against this command injection attack and that you are aware of the mitigations that can help if the upgrade cannot be undertaken immediately. |
Applies To
This application note covers the Tellabs Panorama EMS, the Tellabs OLAN OLT, and the Tellabs GPON ONTs.
GNU Bash "Shell shock" Vulnerability Description
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
This vulnerability has to do with the way that in which Bash shell functions can be executed through the use of Bash environment variables. The command environment presented to any user of the OLAN system is NOT Bash, but a proprietary interface with limited commands; environment variables are not a supported function in the OLAN command interface.
Additionally the command interface does not submit any commands directly to the bash shell, but runs them through the CLI command line parser which ensures that all input matches the syntax and grammar of the command. If any command has excess input, the command will be rejected.
The reason the vulnerability is sometimes identified by tools such as Retina and Nessus is because of the unsophisticated method they use to detect vulnerabilities. Rather than accessing the command environment of the system, the scanning software attempts to connect to the system and if it detects a version of Linux is running on the system; it will report the vulnerability even though that vulnerability may not be present. In the case of the Tellabs OLAN product, the Bash environment is not accessible.
Tellabs Vulnerability Statement
The Tellabs OLAN system is not vulnerable to this exploit in any of its components.
The Tellabs OLAN system consists of three main components:
- Tellabs Panorama Management System
- Tellabs OLAN OLT
- Tellabs OLAN ONTs
Tellabs Panorama PON Vulnerability Statement
The Tellabs Panorama Management system is most typically deployed on Windows machines, which are not subject to this vulnerability.
The Panorama Management system can also be deployed on Solaris. The Panorama Management makes no use of the BASH shell and is not directly vulnerable to the Shellshock exploit. The machine in a Solaris environment may be vulnerable, but it will not affect the operation of the Panorama PON. All machines on which Panorama PON run should be kept up to date on security patches via normal IT practices.
Tellabs OLT Vulnerability Statement
The Tellabs OLT does not allow any access to the OS of the OLT. The shell is replaced by a shell that only accepts Tellabs CLI inputs and does not allow any access to the OS layer. The Tellabs OLT is not vulnerable to the Shellshock exploit. Depending on the mechanism used to scan for this vulnerability it may give a false positive since it may not recognize the Tellabs shell as it is a proprietary shell running on a standard Linux OS.
Tellabs ONT Vulnerability Statement
The Tellabs ONT does not have any interface which allows access to the OS layer and is strictly driven by OMCI commands received over the PON link and therefore is not vulnerable to the Shellshock exploit.
Summary
This table summarizes the Tellabs Vulnerability to the Shellshock exploit:
| OLAN Component | Vulnerable to Shellshock | Comments |
| Panorama PON (Windows) | No | Windows OS is not vulnerable to Shellshock. |
| Panorama PON (Solaris) | No | EMS does not use BASH but OS should be patched to ensure exploit does not affect other applications on the same machine, or to prevent the machine being taken over. The machine should be patched using normal IT practices for Solaris OS. |
| Tellabs OLT | No | Shell has been replaced by proprietary shell, no access to BASH. |
| Tellabs ONT | No | No interfaces exist to the device other than OMCI and therefore is not vulnerable. |