TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)

["US-CERT" <US-CERT () ncas us-cert gov>]

NCCIC / US-CERT

National Cyber Awareness System:

TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169) [ 
https://www.us-cert.gov/ncas/alerts/TA14-268A ] 09/25/2014 12:56 PM EDT 
Original release date: September 25, 2014

Systems Affected

  * GNU Bash through 4.3. 
  * Linux, BSD, and UNIX distributions including but not limited to: 
  * CentOS [ http://lists.centos.org/pipermail/centos/2014-September/146099.html ] 5 through 7 
  * Debian [ https://lists.debian.org/debian-security-announce/2014/msg00220.html ] 
  * Mac OS X 
  * Red Hat Enterprise Linux 4 through 7 
  * Ubuntu [ http://www.ubuntu.com/usn/usn-2362-1/ ] 10.04 LTS, 12.04 LTS, and 14.04 LTS 

Overview

A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in 
most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell 
commands by attaching malicious code in environment variables used by the operating system [1] [ 
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ ]. The 
United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information 
about the GNU Bash vulnerability.

Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the 
added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables 
network-based exploitation. [2 [ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 ], 3 [ 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ]]

Critical instances where the vulnerability may be exposed include: [4 [ 
https://access.redhat.com/security/cve/CVE-2014-6271 ], 5 [ 
http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ ]]


  * Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells. 
  * Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion 
deployments used to restrict shells and allows arbitrary command execution capabilities. 
  * Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs. 
  * Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs 
that use Bash to execute scripts. 

Impact

This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on 
complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted 
environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially 
dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous 
ways.

Solution

Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for 
CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention 
for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are 
likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT 
Vulnerability Note VU#252743 [ http://www.kb.cert.org/vuls/id/252743 ] [6] [ http://www.kb.cert.org/vuls/id/252743 ].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169 
[ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ], to mitigate damage caused by the exploit.

References

  * Ars Technica, Bug in Bash shell creates big security hole on anything with *nix in it;  [ 
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ ] 
  * DHS NCSD; Vulnerability Summary for CVE-2014-6271 [ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 ] 
  * DHS NCSD; Vulnerability Summary for CVE-2014-7169 [ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 ] 
  * Red Hat, CVE-2014-6271  [ https://access.redhat.com/security/cve/CVE-2014-6271 ] 
  * Red Hat, Bash specially-crafted environment variables code injection attack [ 
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ ] 
  * CERT Vulnerability Note VU#252743 [ http://www.kb.cert.org/vuls/id/252743 ] 

Revision History

  * September 25, 2014 - Initial Release 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]