Vulnerability CVE-2014-6271


Published: 2014-09-24

Description:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

See advisories in our WLB2 database:
Topic
Author
Date
High
CGI Remote Code Injection by Bash Proof Of Concept
Prakhar Prasad &...
25.09.2014
High
bashedCgi Remote Command Execution
Shaun Colley
26.09.2014
High
Mac OS X VMWare Fusion Root Privilege Escalation
joev
26.09.2014
High
Dhclient Bash Environment Variable Injection
egypt
28.09.2014
High
Gnu Bash 4.3 CGI Scan Remote Command Injection
Stephane Chazela...
28.09.2014
High
Apache mod_cgi Bash Environment Variable Code Injection
Juan vazquez
28.09.2014
High
DHCP Client Bash Environment Variable Code Injection
Ramon
29.09.2014
High
Bash Me Some More
vixie
02.10.2014
High
Pure-FTPd External Authentication Bash Environment Variable Code Injection
Spencer
02.10.2014
Low
CA Technologies GNU Bash Shellshock
Ken Williams
07.10.2014
High
Postfix SMTP Shellshock
fattymcwopr
07.10.2014
High
DNS Reverse Lookup Shellshock
Dirk-Willem van ...
14.10.2014
High
CUPS Filter Bash Environment Variable Code Injection
Brendan Coles
29.10.2014
High
PHP 5.x / Bash Shellshock Proof Of Concept
ssbostan
26.11.2014
High
QNAP admin shell via Bash Environment Variable Code Injection
Patrick Pellegri...
27.03.2015
High
QNAP Web server remote code execution via Bash Environment Variable Code Injection
Patrick Pellegri...
27.03.2015
High
Advantech Switch Bash Environment Variable Code Injection
hdm
02.12.2015
High
IPFire Bash Environment Variable Injection (Shellshock)
Claudio Viviani
10.06.2016
High
TrendMicro InterScan Web Security Virtual Appliance Shellshock
Hacker Fantastic
23.10.2016
High
RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock)
Hacker Fantastic
19.12.2016
Med.
FutureNet NXR-G240 Series ShellShock Command Injection
Nassim Asrir
09.12.2018

Type:

CWE-78

(Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

Vendor: GNU
Product: BASH 
Version:
4.3
4.2
4.1
4.0
3.2.48
3.2
3.1
3.0.16
3.0
2.05
2.04
2.03
2.02.1
2.02
2.01.1
2.01
2.0
1.14.7
1.14.6
1.14.5
1.14.4
1.14.3
1.14.2
1.14.1
1.14.0

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://advisories.mageia.org/MGASA-2014-0388.html
http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
http://jvn.jp/en/jp/JVN55667175/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
http://linux.oracle.com/errata/ELSA-2014-1293.html
http://linux.oracle.com/errata/ELSA-2014-1294.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00028.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00029.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00034.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00040.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00049.html
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html
http://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html
http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
http://marc.info/?l=bugtraq&m=141216207813411&w=2
http://marc.info/?l=bugtraq&m=141216668515282&w=2
http://marc.info/?l=bugtraq&m=141235957116749&w=2
http://marc.info/?l=bugtraq&m=141319209015420&w=2
http://marc.info/?l=bugtraq&m=141330425327438&w=2
http://marc.info/?l=bugtraq&m=141330468527613&w=2
http://marc.info/?l=bugtraq&m=141345648114150&w=2
http://marc.info/?l=bugtraq&m=141383026420882&w=2
http://marc.info/?l=bugtraq&m=141383081521087&w=2
http://marc.info/?l=bugtraq&m=141383138121313&w=2
http://marc.info/?l=bugtraq&m=141383196021590&w=2
http://marc.info/?l=bugtraq&m=141383244821813&w=2
http://marc.info/?l=bugtraq&m=141383304022067&w=2
http://marc.info/?l=bugtraq&m=141383353622268&w=2
http://marc.info/?l=bugtraq&m=141383465822787&w=2
http://marc.info/?l=bugtraq&m=141450491804793&w=2
http://marc.info/?l=bugtraq&m=141576728022234&w=2
http://marc.info/?l=bugtraq&m=141577137423233&w=2
http://marc.info/?l=bugtraq&m=141577241923505&w=2
http://marc.info/?l=bugtraq&m=141577297623641&w=2
http://marc.info/?l=bugtraq&m=141585637922673&w=2
http://marc.info/?l=bugtraq&m=141694386919794&w=2
http://marc.info/?l=bugtraq&m=141879528318582&w=2
http://marc.info/?l=bugtraq&m=142113462216480&w=2
http://marc.info/?l=bugtraq&m=142118135300698&w=2
http://marc.info/?l=bugtraq&m=142358026505815&w=2
http://marc.info/?l=bugtraq&m=142358078406056&w=2
http://marc.info/?l=bugtraq&m=142546741516006&w=2
http://marc.info/?l=bugtraq&m=142719845423222&w=2
http://marc.info/?l=bugtraq&m=142721162228379&w=2
http://marc.info/?l=bugtraq&m=142805027510172&w=2
http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html
http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html
http://packetstormsecurity.com/files/128573/Apache-mod_cgi-Remote-Command-Execution.html
http://packetstormsecurity.com/files/137376/IPFire-Bash-Environment-Variable-Injection-Shellshock.html
http://rhn.redhat.com/errata/RHSA-2014-1293.html
http://rhn.redhat.com/errata/RHSA-2014-1294.html
http://rhn.redhat.com/errata/RHSA-2014-1295.html
http://rhn.redhat.com/errata/RHSA-2014-1354.html
http://seclists.org/fulldisclosure/2014/Oct/0
http://secunia.com/advisories/59272
http://secunia.com/advisories/61542
http://secunia.com/advisories/61547
http://secunia.com/advisories/62228
http://support.apple.com/kb/HT6495
http://support.novell.com/security/cve/CVE-2014-6271.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915
http://www-01.ibm.com/support/docview.wss?uid=swg21685541
http://www-01.ibm.com/support/docview.wss?uid=swg21685604
http://www-01.ibm.com/support/docview.wss?uid=swg21685733
http://www-01.ibm.com/support/docview.wss?uid=swg21685749
http://www-01.ibm.com/support/docview.wss?uid=swg21685914
http://www-01.ibm.com/support/docview.wss?uid=swg21686084
http://www-01.ibm.com/support/docview.wss?uid=swg21686131
http://www-01.ibm.com/support/docview.wss?uid=swg21686246
http://www-01.ibm.com/support/docview.wss?uid=swg21686445
http://www-01.ibm.com/support/docview.wss?uid=swg21686447
http://www-01.ibm.com/support/docview.wss?uid=swg21686479
http://www-01.ibm.com/support/docview.wss?uid=swg21686494
http://www-01.ibm.com/support/docview.wss?uid=swg21687079
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315
http://www.debian.org/security/2014/dsa-3032
http://www.kb.cert.org/vuls/id/252743
http://www.mandriva.com/security/advisories?name=MDVSA-2015:164
http://www.novell.com/support/kb/doc.php?id=7015701
http://www.novell.com/support/kb/doc.php?id=7015721
http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
http://www.qnap.com/i/en/support/con_show.php?cid=61
http://www.securityfocus.com/archive/1/533593/100/0/threaded
http://www.securityfocus.com/bid/70103
http://www.ubuntu.com/usn/USN-2362-1
http://www.us-cert.gov/ncas/alerts/TA14-268A
http://www.vmware.com/security/advisories/VMSA-2014-0010.html
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
https://access.redhat.com/articles/1200223
https://access.redhat.com/node/1200223
https://bugzilla.redhat.com/show_bug.cgi?id=1141597
https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes
https://kb.bluecoat.com/index?page=content&id=SA82
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648
https://kc.mcafee.com/corporate/index?page=content&id=SB10085
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://support.apple.com/kb/HT6535
https://support.citrix.com/article/CTX200217
https://support.citrix.com/article/CTX200223
https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts
https://www.exploit-db.com/exploits/34879/
https://www.exploit-db.com/exploits/37816/
https://www.exploit-db.com/exploits/38849/
https://www.exploit-db.com/exploits/39918/
https://www.exploit-db.com/exploits/40619/
https://www.exploit-db.com/exploits/40938/
https://www.exploit-db.com/exploits/42938/
https://www.suse.com/support/shellshock/

Related CVE
CVE-2018-12886
stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack ...
CVE-2019-5953
Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code via unspecified vectors.
CVE-2019-11640
An issue was discovered in GNU recutils 1.8. There is a heap-based buffer overflow in the function rec_fex_parse_str_simple at rec-fex.c in librec.a.
CVE-2019-11639
An issue was discovered in GNU recutils 1.8. There is a stack-based buffer overflow in the function rec_type_check_enum at rec-types.c in librec.a.
CVE-2019-11638
An issue was discovered in GNU recutils 1.8. There is a NULL pointer dereference in the function rec_field_name_equal_p at rec-field-name.c in librec.a, leading to a crash.
CVE-2019-11637
An issue was discovered in GNU recutils 1.8. There is a NULL pointer dereference in the function rec_rset_get_props at rec-rset.c in librec.a, leading to a crash.
CVE-2006-7254
The nscd daemon in the GNU C Library (glibc) before version 2.5 does not close incoming client sockets if they cannot be handled by the daemon, allowing local users to carry out a denial of service attack on the daemon.
CVE-2005-3590
The getgrouplist function in the GNU C library (glibc) before version 2.3.5, when invoked with a zero argument, writes to the passed pointer even if the specified array size is zero, leading to a buffer overflow and potentially allowing attackers to ...

Copyright 2019, cxsecurity.com

 

Back to Top