Overview
GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution.
Description
UPDATE: New CVE-IDs added for incomplete patches. Additional resources added and vendor patch information updated. CWE-78: OS Command Injection |
Impact
A malicious attacker may be able to execute arbitrary code at the privilege level of the calling application. |
Solution
Apply an Update |
Vendor Information
Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be vulnerable. Contact your vendor for information about updates or patches. This Red Hat support article and blog post describe ways that Bash can be called from other programs, including network vectors such as CGI, SSH, and DHCP. Shell Shock Exploitation Vectors describes other ways this vulnerability could be exploited. |
Apple Inc. Affected
Notified: September 25, 2014 Updated: October 01, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Avaya, Inc. Affected
Notified: September 25, 2014 Updated: September 29, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
See the following URL for more information from the vendor.
Vendor References
Addendum
The Avaya Communications Server (CS) 1000 Rls 6 has been reported to be vulnerable.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Barracuda Networks Affected
Notified: September 25, 2014 Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Blue Coat Systems Affected
Notified: September 25, 2014 Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
CentOS Affected
Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Check Point Software Technologies Affected
Notified: September 25, 2014 Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Cisco Systems, Inc. Affected
Notified: September 25, 2014 Updated: September 26, 2014
Statement Date: September 26, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Cygwin Affected
Updated: September 26, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
https://cygwin.com/ml/cygwin-announce/2014-09/msg00033.html
If you have feedback, comments, or additional information about this vulnerability, please send us email.
D-Link Systems, Inc. Affected
Notified: September 25, 2014 Updated: October 07, 2014
Status
Affected
Vendor Statement
All D-Link Devices and Software have been cleared and are not affected by this
vulnerability. All D-Link Services have been audited for the use of bash shell
implementations. Based on the results of the audit we have applied appropriate
updates, if needed, to close this potential vulnerability. D-Link continues
to monitor CERT incase of further issues are reported about the Bash Shell.
(Edited: 10/06/2014 15:52 PST)
Vendor Information
Please contact at: security@dlink.com
Vendor References
Debian GNU/Linux Affected
Notified: September 25, 2014 Updated: September 27, 2014
Statement Date: September 25, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Dell Computer Corporation, Inc. Affected
Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Addendum
Dell KACE systems use Bash.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Extreme Networks Affected
Notified: September 25, 2014 Updated: October 01, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
F5 Networks, Inc. Affected
Notified: September 25, 2014 Updated: September 26, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Fedora Project Affected
Notified: September 25, 2014 Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
FireEye Affected
Updated: October 02, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Fortinet, Inc. Affected
Notified: September 25, 2014 Updated: September 26, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
GNU Bash Affected
Updated: September 25, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Gentoo Linux Affected
Notified: September 25, 2014 Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Hewlett-Packard Company Affected
Notified: September 25, 2014 Updated: September 29, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
See the following URL for more information from the vendor.
Vendor References
IBM Corporation Affected
Notified: September 25, 2014 Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272
- http://www-01.ibm.com/support/docview.wss?uid=swg21685433&myns=swgws&mynp=OCSSEQTP&mynp=OCSSEQTJ&mync=E
Addendum
AIX Toolbox for Linux Applications provides Bash and is vulnerable. IBM HTTP Server (IHS) is based on Apache and may act as an attack vector, depending on configuration.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks, Inc. Affected
Notified: September 25, 2014 Updated: September 25, 2014
Statement Date: September 25, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Mageia Affected
Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
McAfee Affected
Notified: September 25, 2014 Updated: October 07, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Monroe Electronics Affected
Updated: October 02, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
- http://www.digitalalertsystems.com/registration_updates.html
- http://www.digitalalertsystems.com/download/dasdec-aux_app_upgrade-2.5-1.i386.drpm
- http://www.digitalalertsystems.com/download/dasdec_fc10-aux_app_upgrade-2.5-1.i386.drpm
- http://www.digitalalertsystems.com/pdf/DASDEC%20BASH%20Update%20Release%20Notes%20R1.0.pdf
- http://www.digitalalertsystems.com/pdf/DASDEC%20Software%20Update%20Instructions%2061512.pdf
- http://www.monroe-electronics.com/EAS_pages/r189se_registration.html
- http://www.monroe-electronics.com/EAS_pages/downloads/dasdec-aux_app_upgrade-2.5-1.i386.drpm
- http://www.monroe-electronics.com/EAS_pages/downloads/dasdec_fc10-aux_app_upgrade-2.5-1.i386.drpm
- http://www.monroe-electronics.com/EAS_pages/pdf/One-Net%20BASH%20Update%20Release%20Notes%20R1.0.pdf
- http://www.monroe-electronics.com/EAS_pages/pdf/One-Net%20Software%20Update%20Instructions%2061512.pdf
Addendum
DASDEC-1EN running software version 2.0-2 reported to be vulnerable: http://seclists.org/fulldisclosure/2014/Sep/107.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Affected
Notified: September 25, 2014 Updated: October 07, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
NIKSUN Affected
Notified: November 10, 2014 Updated: November 11, 2014
Status
Affected
Vendor Statement
Information contained below is subject to change due to the evolving nature of
CVE-reported information & available fixes.
"ShellShock" CVE-2014-6271 & CVE-2014-7169 are now resolved in software patches
made available via NIKSUN SupportNet. NIKSUN has now produced software updates
for all supported product lines. We continue to observe activity on the NSON
(NIKSUN Security Observation Network) to produce current threat detections –
more signatures may be released as we continuously observe behavior globally.
Current signatures should be downloaded & installed, available via SupportNet,
to get the most out of your NIKSUN security products.
The BASH component defect affecting the community-at-large is serious, but
unlike the Heartbleed defect, which generically affected many publically
available products in exactly the same way, Shellshock requires a specific set
of conditions to exist for exploitation.
NIKSUN is both a contributor to the open source community as well as a consumer
and is leveraging those relationships to bring this issue to a satisfactory
close.
"ShellShock" CVE-2014-6271 & CVE-2014-7169 are now resolved in software patches
made available via NIKSUN SupportNet. NIKSUN has now produced software updates
for all supported product lines, with additional work in progress on breaking
CVEs related to ShellShock exposed in the last few days – software currently
in a quality assurance cycle will become available this week for remaining CVEs
associated with ShellShock now that the global community has agreed on a
sustainable, supportable fix. We continue to observe activity on the NSON
(NIKSUN Security Observation Network) to produce current threat detections with
more signatures released as we continuously observe behavior globally. Current
signatures should be downloaded & installed, available via SupportNet, to get
the most out of your NIKSUN security products.
NIKSUN is committed to providing a rapid resolution to this issue while
ensuring quality, stability & completeness of a fix.
The list below is not a fully comprehensive version list
NIKOS Appliance 4.3.2.0
NIKOS Appliance 4.3.1.2
NIKOS Appliance 4.4.1.1
NIKOS Appliance 4.4.1.2
NIKOS Appliance 4.5.0.0_9
NIKOS Appliance 4.5.0.1
NetOmni 4.3.1.2
NetOmni 4.3.2.0
NetOmni 4.4.1.1
NetOmni 4.4.1.2
NetOmni 4.5.0.0
NetOmni 4.5.0.1
NetOmni 4.5.1.0
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NetApp Affected
Updated: September 29, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
See the following URL for more information from the vendor
Vendor References
Novell, Inc. Affected
Notified: September 25, 2014 Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Oracle Corporation Affected
Notified: September 25, 2014 Updated: September 29, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
- https://oss.oracle.com/pipermail/el-errata/2014-September/004485.html
- http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html
Addendum
Solaris includes Bash and Oracle Linux is based on Red Hat Linux.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Palo Alto Networks Affected
Notified: September 25, 2014 Updated: September 29, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Addendum
See PAN-SA-2012-000{2,3,4,5}. Please use CVE.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
QNAP Security Affected
Updated: April 14, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Red Hat, Inc. Affected
Notified: September 25, 2014 Updated: September 25, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
SUSE Linux Affected
Notified: September 25, 2014 Updated: September 29, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Slackware Linux Inc. Affected
Notified: September 25, 2014 Updated: September 25, 2014
Statement Date: September 25, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Sophos, Inc. Affected
Updated: September 27, 2014
Status
Affected
Vendor Statement
As far as we are aware, none of Sophos's Linux or UNIX products use Bash in a way that would allow this vulnerability to be exploited with data supplied by an attacker from outside.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Trend Micro Affected
Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Ubuntu Affected
Notified: September 25, 2014 Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
VMware Affected
Notified: September 25, 2014 Updated: September 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Xirrus Affected
Updated: October 01, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
FreeBSD Project Not Affected
Notified: September 25, 2014 Updated: September 26, 2014
Statement Date: September 25, 2014
Status
Not Affected
Vendor Statement
Currently we have already patched CVE-2014-6271 and CVE-2014-7169 in the FreeBSD ports tree, making it no longer vulnerable to these two issues. We will patch the new issues once the fix is validated.
The FreeBSD base system do not use bash at all and is therefore not affected.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Addendum
FreeBSD has disabled function importing by default in the Bash port.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Global Technology Associates, Inc. Not Affected
Notified: September 25, 2014 Updated: October 01, 2014
Status
Not Affected
Vendor Statement
GTA firewalls running any version of GB-OS are not vulnerable to the "shellshock" exploit.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Microsoft Corporation Not Affected
Notified: September 25, 2014 Updated: October 10, 2014
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NetBSD Not Affected
Notified: September 25, 2014 Updated: September 26, 2014
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
ACCESS Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
AT&T Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Alcatel-Lucent Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Belkin, Inc. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CA Technologies Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Cray Inc. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DragonFly BSD Project Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EMC Corporation Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Engarde Secure Linux Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Enterasys Networks Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ericsson Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Force10 Networks, Inc. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Foundry Networks, Inc. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fujitsu Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Google Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hitachi Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM Corporation (zseries) Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM eServer Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Infoblox Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intel Corporation Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intoto Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Mandriva S. A. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
MontaVista Software, Inc. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Mozilla Unknown
Notified: October 27, 2014 Updated: October 27, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nokia Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenBSD Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Openwall GNU/*/Linux Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Peplink Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Q1 Labs Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
QNX Software Systems Inc. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Quagga Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SafeNet Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SmoothWall Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Snort Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sony Corporation Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sourcefire Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Spyrus Unknown
Notified: November 19, 2014 Updated: November 19, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Stonesoft Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Symantec Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
The SCO Group Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
TippingPoint Technologies Inc. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Turbolinux Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Unisys Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Vyatta Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Watchguard Technologies, Inc. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Wind River Systems, Inc. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
ZyXEL Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
eSoft, Inc. Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
m0n0wall Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
netfilter Unknown
Notified: September 25, 2014 Updated: September 25, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 9.5 | E:H/RL:W/RC:C |
| Environmental | 9.6 | CDP:LM/TD:H/CR:ND/IR:ND/AR:ND |
References
- http://seclists.org/oss-sec/2014/q3/650
- https://access.redhat.com/articles/1200223
- https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
- http://seclists.org/oss-sec/2014/q3/688
- http://seclists.org/oss-sec/2014/q3/685
- http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
- http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html
- https://gist.github.com/anonymous/929d622f3b36b00c0be1
- https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html
- https://shellshocker.net/#
Acknowledgements
This document was written by Chris King.
Other Information
| CVE IDs: | CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-7186, CVE-2014-7187 |
| Date Public: | 2014-09-24 |
| Date First Published: | 2014-09-25 |
| Date Last Updated: | 2015-04-14 20:35 UTC |
| Document Revision: | 56 |