Security Advisory: Intel(R) MPSS affected by Shellshock bug

BelindaLiviero · ‎10-15-2014

Recently there was a critical vulnerability exposed in the GNU* Bourne-Again Shell (Bash), the common command-line shell used in many Linux*/UNIX operating system. This vulnerability also affects the operating system used for the Intel(R) Xeon Phi(tm) Coprocessor.

Several Intel(R) MPSS Hotfixes will be released that address all six of the known CVEs related to the newly-discovered Bash vulnerabilities (CVE-2014-6721, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6728) and corresponds to patch level 052 of the Bash ver. 4.2 as published by GNU.org

Intel(R) MPSS 3.1-x, 3.2-x, 3.3-x and 3.4-x are all affected, as well as previous MPSS 2.x releases.

No patches will be released for obsolete releases (MPSS 2.x). As a workaround, it is possible to re/cross-compile a bash from patched sources.

Patches for MPSS 3.3 (Linux) were recently released (see https://software.intel.com/en-us/articles/intel-manycore-platform-software-stack-mpss )

Patches for MPSS 3.3 (Windows), 3.4, 3.1 and 3.2 will follow soon. We will update this forum thread when they are available.

Customers can verify the vulnerability mitigation by running checkers on the Xeon Phi Coprocessor OS, such as Bashcheck, https://github.com/hannob/bashcheck, or another relevant shell-script-based checker of their choice.

Please let us know if you have any questions!

BelindaLiviero · ‎10-17-2014

Patches for MPSS 3.3 (Windows) have been posted - see https://software.intel.com/en-us/articles/intel-manycore-platform-software-stack-mpss

BelindaLiviero · ‎10-22-2014

Patches for MPSS 3.4 are now posted

BelindaLiviero · ‎11-05-2014

Patches for the older 3.1.x and 3.2.x releases are posted on the MPSS Archive page at

https://software.intel.com/en-us/articles/intel-manycore-platform-software-stack-mpss-archive#)

the versions to get are 3.1.7 and 3.2.5