October 06, 2014

Announcement: Shellshock Vulnerability


Datacard Group is aware of a recent security vulnerability report called Shellshock, and we are actively investigating the potential impact of this vulnerability on Datacard® solutions.  Below is what we know so far; however, we will be continually providing updates to you as we learn more.

What is Shellshock?

Last week, a security vulnerability called Shellshock was made public (CVE-2014-6271).  Shellshock is a nickname for a bug in the Bash (Bourne Again Shell) command-line interpreter, also known as a shell.

Simply put, the Bash bug is in a piece of software code that is built into nearly 70 percent of computers, and users that are connected to the Internet are the most exposed to remote exploitation.  In addition, operating systems that run Linux, UNIX, BSD and Apple's OSX (since 10.3) are the most vulnerable and are likely to be targeted.

This flaw has been present since 1989, but only recently found.  The concern is the Shellshock exploit could allow a hacker to load malicious software onto a computer or system that has this bug.  The Bash bug then allows an attacker to perform the same commands as a legitimate user.  This gives a successful attacker the ability to do nearly anything that a user can do.  An attacker that has access to a remote vector will be able to remotely inject Bash commands on the system without authentication.

Are Datacard® Solutions Affected By Shellshock?

Datacard Group is proactively monitoring the situation.  As of today, we believe most Datacard solutions are not vulnerable to Shellshock, including our software applications.  However, we have identified products where vulnerability may be present.

Some Datacard solutions have an embedded version of Linux as part of their operating system and therefore could be affected.  These products include:

  • Datacard® SD260™ Card Printer
  • Datacard® SD360™ Card Printer
  • Datacard® SD460™ Card Printer
  • Datacard® CD800™ Card Printer
  • Datacard® CD820™ Instant Issuance System
  • Datacard® CE840™ Instant Issuance System
  • Datacard® CE870™ Instant Issuance System
  • Datacard® CR500™ Instant Issuance System
  • SafeNet ProductServer PL25 and PL600 External HSM (the internal version of the HSM are not affected)

What Is My Risk With a Datacard Product?

For systems that are connected via a USB port, there appears to be no concern because it is not connected to the Internet.  For those that are connected using an Ethernet connection and connected to the Internet on a corporate network, most are used behind a corporate firewall, making it very difficult for an external hacker to get access to a network and then access to the machine.  However, due to the use of embedded Linux in the Datacard products listed above, the possibility that malicious code could be loaded into a system cannot be ruled out.  Each customer should assess their risk based on their security environment.

What is Datacard Group doing about this Issue?

For Datacard products that have been identified as vulnerable, our engineers are working on firmware updates for the SD Series, CD Series, CE Series and CR500 systems that will address this vulnerability. We will keep you informed as firmware updates become available.

SafeNet, the HSM vendor, has already provided a patch for their product to fix the ShellShock vulnerability.  Datacard Group has successfully tested this patch with our software products. 

When and Where Can I Receive Datacard Firmware Updates?

Within the next few weeks, we expect to have the firmware update to be available for the SD Series, CD Series, CE Series and CR500.  We will provide ongoing updates on how to access and download this firmware update as soon as it’s available.

For further questions, please contact DKC Associates.


Leave a comment

Comments have to be approved before showing up.