Guest

Cisco Security

Cisco Security

GNU Bash Environment Variable Command Injection Vulnerability

 
Threat Type:CWE-78: OS Command Injections
IntelliShield ID:35816
Version:25
First Published:2014 September 24 16:09 GMT
Last Published:2015 March 24 17:05 GMT
Port: Not available
CVE:CVE-2014-6271
BugTraq ID:70103
Urgency:Probable Use
Credibility:Confirmed
Severity:Moderate Damage
CVSS Base:10.0 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:8.6
Related Resources:
 
 
Version Summary:HP has released an additional security bulletin and updated software to address the GNU Bash environment variable command injection vulnerability.
 
 
Description
A vulnerability in GNU Bash could allow an unauthenticated, remote attacker to inject arbitrary commands.

The vulnerability is due to improper processing of environment variables by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by submitting malicious environment variable values to an application using Bash. Processing the values could allow the attacker to inject arbitrary commands on the system that would run in the security context of the targeted application.

Functional code that exploits this vulnerability is available as part of the Metasploit framework.

GNU has confirmed the vulnerability and released software patches.
 
Warning Indicators
GNU Bash versions 4.3 and prior are affected.
 
IntelliShield Analysis
Depending on system configuration and where the bash shell is enabled or in use, network exploit vectors may exist, including services that may accept input over HTTP for use with commands executed by the bash shell. This vulnerability could be used to propagate worms throughout a targeted network, and worm activity may increase on the Internet due to this vulnerability.

Multiple instances of exploitation have been reported in the wild. Administrators are advised to put effective mitigations into place immediately.

The software patches that mitigate this vulnerability are incomplete. CVE-2014-7169 has been identified to address the incomplete fix as documented in IntelliShield Alert 35845.
 
Vendor Announcements
GNU has released patch reports at the following link: bash30-017, bash31-018, bash32-052, bash40-039, bash41-012, bash42-048, and bash43-025

Apple has released security advisory at the following links: HT6495

Blue Coat has released a security advisory at the following link: SA82

Cisco has released a security advisory at the following link: cisco-sa-20140926-bash

FreeBSD has released a VuXML document at the following link: bash -- remote code execution vulnerability

HP has released security bulletins c04462737, c04475347, c04475942, c04471538, c04488200, c04479974, c04477872, c04540692, c04561445 and c04599191 at the following links: HPSBNS03111, HPSBMU03133 SSRT101733, HPSBGN03138 SSRT101755, HPSBHF03125 SSRT101724, HPSBST03157 SSRT101718, HPSBST03148 SSRT101749, HPSBST03131 SSRT101749, HPSBGN03233 SSRT101868, HPSBGN03250 SSRT101867 and HPSBST03196 SSRT101816

IBM has released security bulletins at the following links: T1021272 and N1020272

Juniper has released a security bulletin at the following link: JSA10648

MontaVista Software has released a changelog for registered users on January 14, 2015, at the following link: MontaVista Security Fixes

Oracle has re-released a security advisory at the following link: Multiple vulnerabilities in Bash

Red Hat has released an official CVE statement and security advisories for bug 1141597 at the following links: CVE-2014-6271, RHSA-2014:1293, RHSA-2014:1294, RHSA-2014:1295, and RHSA-2014:1354

US-CERT has released a vulnerability note at the following link: VU#252743

VMware has re-released a security advisory at the following links: VMSA-2014-0010.13
 
Impact
An unauthenticated, remote attacker could exploit this vulnerability to inject and execute arbitrary commands on a targeted system. A successful exploit could result in a complete system compromise.
 
Technical Information
The vulnerability is due to improper processing of environment variables by the affected software. Bash will continue to parse and execute shell commands after processing the function definition in the values of environment variables.

An unauthenticated, remote attacker could exploit this vulnerability by submitting malicious function definitions in the values of environment variables to an application using Bash. Processing the values could give the attacker the ability to inject arbitrary commands on the system that would run in the security context of the targeted application.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.

The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: Identifying and Mitigating Exploitation of the GNU Bash Environment Variable Command Injection Vulnerability

Administrators are advised to monitor affected systems.
 
Patches/Software
The vendor has released patches at the following links: Apple has released updated software at the following links:

OS X bash Update 1.0
OS X Lion
OS X Mountain Lion
OS X Mavericks

Bluecoat customers are advised to obtain software upgrades in accordance with the vendor advisory.

CentOS packages can be updated using the up2date or yum command.

FreeBSD releases ports collection updates at the following link: Ports Collection Index.

HP has released updated software for customers as described in the "Resolution" section of the security bulletin.

HP has released updated software for registered users at the following links:
IBM customers are advised to follow the remediation steps in the security bulletins to mitigate this vulnerability or apply the appropriate fixes from the following links: Juniper customers are advised to obtain the software upgrades mentioned in the vendor advisory.

MontaVista Software has released updated software for registered users at the following links: Oracle has released patches for registered users at the following links: Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.

VMware has released updated software at the following link: VMware has released updated software at the following links:

Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
4689/0Bash Environment Variable Command InjectionS8252014 Oct 02 
4689/0Bash Environment Variable Command InjectionS8252014 Oct 02 
4689/1Bash Environment Variable Command InjectionS8252014 Oct 02 
4689/1Bash Environment Variable Command InjectionS8252014 Oct 02 
4689/2Bash Environment Variable Command InjectionS8252014 Oct 02 
4689/2Bash Environment Variable Command InjectionS8252014 Oct 02 
4689/3Bash Environment Variable Command InjectionS8252014 Oct 02 
4689/3Bash Environment Variable Command InjectionS8252014 Oct 02 
 
Alert History
 

Version 24, February 4, 2015, 11:43 AM: HP has released an additional security bulletin and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 23, January 26, 2015, 12:44 PM: MontaVista Software has released a security alert and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 22, January 15, 2015, 9:52 AM: HP has released an additional security bulletins to address the GNU Bash environment variable command injection vulnerability.

Version 21, December 1, 2014, 10:20 AM: HP has released an additional security bulletins to address the GNU Bash environment variable command injection vulnerability.

Version 20, November 3, 2014, 7:46 AM: Oracle has re-released a security advisory and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 19, October 27, 2014, 3:02 PM: HP has released an additional security bulletin to address the GNU Bash environment variable command injection vulnerability.

Version 18, October 21, 2014, 9:27 AM: VMware has re-released a security advisory and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 17, October 17, 2014, 9:34 AM: HP has released an additional security bulletin and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 16, October 14, 2014, 11:01 AM: HP has released an additional security bulletin and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 15, October 13, 2014, 11:19 AM: HP has released an additional security bulletin and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 14, October 8, 2014, 8:19 AM: Oracle has released a security advisory and patches to address the GNU Bash environment variable command injection vulnerability.

Version 13, October 6, 2014, 11:06 AM: IBM has released an additional security bulletin and fixes to address the GNU Bash environment variable command injection vulnerability.

Version 12, October 3, 2014, 8:43 AM: Red Hat has released an additional security advisory and updated packages to address the GNU Bash environment variable command injection vulnerability.

Version 11, October 2, 2014, 10:23 AM: VMware has re-released a security advisory and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 10, October 1, 2014, 1:06 PM: VMware has released a security advisory and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 9, September 30, 2014, 2:39 PM: IBM has re-released a security bulletin and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 8, September 30, 2014, 11:11 AM: Apple has released a security advisory and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 7, September 30, 2014, 8:53 AM: HP, IBM, and US-CERT have released security bulletins and software updates to address the GNU Bash environment variable command injection vulnerability. Juniper has also released software updates to address this vulnerability.

Version 6, September 29, 2014, 4:04 PM: Based on reports of increasing exploitation, Cisco IntelliShield has increased the urgency score related to the GNU Bash environment variable command injection vulnerability.

Version 5, September 26, 2014, 4:35 PM: Cisco has released a security advisory and an applied mitigation bulletin to address the GNU Bash environment variable command injection vulnerability.

Version 4, September 26, 2014, 7:12 AM: Juniper Networks and Bluecoat have released a security bulletin and updated software to address the GNU Bash environment variable command injection vulnerability.

Version 3, September 25, 2014, 12:53 PM: Functional exploit code that demonstrates an exploit of the GNU Bash environment variable command injection vulnerability is publicly available.

Version 2, September 25, 2014, 8:33 AM: Red Hat has released security advisories and updated packages to address the GNU Bash environment variable command injection vulnerability. CentOS and FreeBSD have also released updates to address this vulnerability.

Version 1, September 24, 2014, 12:09 PM: GNU Bash contains a vulnerability that could allow an unauthenticated, remote attacker to inject arbitrary commands. Software updates are available.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
GNU Public LicenseBASH 3.0 Base, .16 | 3.1 Base | 3.2 Base | 4.0 Base | 4.1 Base | 4.2 Base, patch 1, patch 2, patch 3, patch 4, patch 5, patch 6, patch 7, patch 8, patch 9, patch 10, patch 11, patch 12, patch 13, patch 14, patch 15, patch 16, patch 17, patch 18, patch 19, patch 20, patch 21, patch 22, patch 23, patch 24, patch 25, patch 26, patch 27, patch 28, patch 29, patch 30, patch 31, patch 32 | 4.3 Base

Associated Products:
AppleMac OS X 10.7.5 Base | 10.8.5 Base | 10.9.5 Base
AppleMac OS X Server 10.7.5 Base
Blue Coat Systems, Inc.Content Analysis System 1.1 Base, .1.1, .2.1, .3.1, .4.1, .5.1
Blue Coat Systems, Inc.Director (SGME) 5.5 Base | 6.1 Base
Blue Coat Systems, Inc.Malware Analysis Appliance 1.1 Base, .1
Blue Coat Systems, Inc.Reporter 9.4 Base
Blue Coat Systems, Inc.Security Analytics Platform 6.0 Base | 7.0 Base
CentOS ProjectCentOS 5 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64, .4 i386, .4 x86_64, .5 i386, .5 x86_64 | 6 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64 | 7 x86_64
CiscoCisco Application Policy Infrastructure Controller (APIC) 1.0(1h) Base
CiscoCisco ACE 4700 Series Application Control Engine Appliances A5 3.0
CiscoCisco Edge 300 Series 1.0 Base, (5), (5.1) | 1.1 Base | 1.2 Base | 1.3 Base | 1.5 Base, (1) | 1.6 Base
CiscoCisco NX-OS Software for Nexus 9000 Series 6.1(2)I2(2b), 11.0(1b), 11.0(1c)
CiscoCisco Secure Access Control Server Solution Engine (ACSE) 5.5 (0.46.10)
CiscoCisco Unified Communications Manager 9.1(2.13058.1) Base
CiscoCisco Wide Area Application Services (WAAS) 4.0 Base, .7, .7.46, .9, .9.10, .11.34, .13.23, .17.14, .19.14, .23, .25, .27 | 4.1 .1, .1a, .1b, .1c, .1d, .1e, .3, .3a, .3b, .5a, .5b, .5c, .5d, .5e, .5g, .5f, .7, .7a, .7b, .7c | 4.2 Base, (1), (3a), (3c) | 4.3 .1, .3, .5, .5a | 4.4 .1, .3, .3a, .3b, .3c, .5, .5a, .5b, .5c, .5d, .7, .7a | 5.0 Base, .1, .3, .3a, .3c, .3d, .3e, .3g | 5.1 Base, .1, .1a, .1b, .1c, .1d, .1e, .1f, .1g | 5.2 Base, .1 | 5.3 .1, .3, .5, .5a, .5b | 5.4 .1, .1a
CiscoCisco Wireless LAN Controller (WLC) 7.4 .121.0 | 7.6 .130.0 | 8.0 .100
CiscoIntrusion Prevention System (IPS) 7.0 (7)E4
CiscoIOS 15.4S 15.4(1)S
CiscoCisco MDS 9000 NX-OS Software 5.2 (8d) | 6.2 (7)
CiscoCisco Identity Services Engine Software 1.2 (0.747)
CiscoCisco Unified Computing System (Managed) 2.2 (2c)A
CiscoCisco ASA CX Context-Aware Security Software 9.3 (1.1.112)
CiscoCisco Unified Computing System (Standalone) 2.2 (2c)A
CiscoCisco TelePresence System Software 7.2 Base
CiscoCisco Unified Intelligence Center 10.0 (5)
FreeBSD ProjectFreeBSD 7.3 Base | 7.4 Base | 8.0 Base | 8.1 Base | 8.2 Base | 8.3 Base | 8.4 Base | 9.0 Base | 9.1 Base | 9.2 Base | 9.3 Base | 10.0 Base
HPHP CloudSystem Enterprise 8.0 Base, .1, .2 | 8.1 Base, .1
HPHP CloudSystem Foundation 8.0 Base, .1, .2 | 8.1 .0, .1
HPHP Enterprise Maps 1.0 Base
HPHP TippingPoint Next Generation Firewall (NGFW) 1.0.1.3974 Base | 1.0.2.3988 Base | 1.0.3.4024 Base | 1.1.0.4127 Base | 1.1.0.4150 Base
HPHP NonStop H06 .25.00, .25.01, .26, .26.01, .27, .27.01, .28, .28.01 | J06 .14.00, .14.01, .14.02, .14.03, .15, .15.01, .15.02, .16, .16.01, .16.02, .17, .17.01, .18.00
HPHP OneView 1.0 Base | 1.01 Base | 1.05 Base | 1.10 Base, .05, .07
HPHP StoreEver ESL E-series Tape Library Original Release Base
HPHP StoreOnce Backup 3.0 Base | 3.1 Base | 3.2 Base | 3.3 Base | 3.4 Base | 3.5 Base | 3.6 Base | 3.7 Base | 3.8 Base | 3.9 Base | 3.10 Base | 3.11 .0, .3
HPHP StoreOnce Gen 2 Backup 2.3 .00
HPHP StoreEver MSL6480 Tape Library firmware 4 .10, .20, .30, .40, .50
HPHP Virtual Library System (VLS) Original Release Base
HPOperations Analytics 2.0 Base | 2.1 Base
IBMAIX 5.3 Base, .7.0, .7.1, .8, .9, .10, .11, .12 | 6.1 .0, .1, .2, .3, .4, .5, .6, .7, .8, TL9 | 7.1 .0, .1, .2, .3
IBMPower Hardware Management Console (HMC) V7 R7.3.0 Base, SP2 | V7 R7.6.0 Base | V7 R7.7.0 Base | V7 R7.8.0 Base | V7 R7.9.0 Base | V8 R8.1.0 Base
Juniper Networks, Inc.Security Threat Response Manager (STRM) 2010 Base | 2012 .0, .1 | 2013 Base, .1, .2
Juniper Networks, Inc.Junos Space Software 11.1 Base | 11.2 Base | 11.3 Base | 12.1 Base | 12.2 Base | 12.3 Base
MontaVistaCGE 6.0 Base
MontaVistaMVL 6 ARM Base | Power Base | x86 Base
Oracle CorporationSolaris 11.2 Base
Red Hat, Inc.Red Hat Enterprise Linux 5 IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server AUS 6.2 x86_64 | 6.4 x86_64 | 6.5 x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop 5 IA-32, x86_64 | 6 IA-32, x86_64 | 7 x86_64
Red Hat, Inc.Red Hat Enterprise Linux ELS (Extended Life Cycle Support) 4 IA-32, IA-64, x86_64
Red Hat, Inc.Red Hat Enterprise Linux EUS (Extended Update Support) 5.9.z Base, IA-32, IA-64, PPC, PPC-64, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux HPC Node 6 x86_64 | 7 x86_64
Red Hat, Inc.Red Hat Enterprise Linux Long Life 5.6 IA-32, i386, IA-64, x86_64 | 5.9 Base, IA-32, IA-64, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server 6 IA-32, PPC, PPC 64, s390, s390x, x86_64 | 7 x86_64, ppc, ppc64, s390, s390x
Red Hat, Inc.Red Hat Enterprise Linux Server EUS 6.4.z Base, IA-32, x86_64, PPC, PPC64, s390, s390X | 6.5.z IA-32, PPC, PPC64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation 6 IA-32, x86_64 | 7 x86_64
Red Hat, Inc.Red Hat Enterprise S-JIS Service IA-32 Base | IA-64 Base | x86_64 Base
Red Hat, Inc.Red Hat Enterprise Virtualization 3.4 x86_64
Sun Microsystems, Inc.Solaris 8 sparc, X86 | 9 sparc, X86 | 10 sparc, x64/x86, 05/08 (Update 5)
VMware, Inc.Horizon DaaS Platform 5.4 Base, .1, .2 | 6.0 Base, .1 | 6.1 Base
VMware, Inc.IT Business Management Suite 1.0 Base
VMware, Inc.NSX-MH 4.0 Base, .1, .2, .3, .4 | 4.1 Base, .1, .2, .3 | 4.2 Base
VMware, Inc.NSX-V 6.0 Base, .1, .2, .3, .4, .5, .6 | 6.1 Base
VMware, Inc.NVP 3.0 Base | 3.2 Base, .1, .2, .3
VMware, Inc.vCenter Converter Standalone 5.1 Base, 0.1087880 | 5.5 Base, .1, .2
VMware, Inc.vCenter Hyperic Server 5.0 Base, .1, .2 | 5.7 Base, .1 | 5.8 Base, .1, .2
VMware, Inc.vCenter Infrastructure Navigator 2.0 Base | 5.7 Base | 5.8 Base, .1, .2
VMware, Inc.vCenter Log Insight 1 Base, .0, .5 | 2 Base, .0, .2
VMware, Inc.vCenter Operations Management Suite (vCOps) 5.7 Base | 5.8 Base
VMware, Inc.vCenter Orchestrator (vCO) 4.0 Base, Update 1, Update 2, Update 3 | 4.1 Base, Update 1 | 4.2 Base | 5.1 Base | 5.5 Base, .1, .2
VMware, Inc.vCloud Automation Center (vCAC) 6.1 Base
VMware, Inc.vCloud Application Director 5.2 Base | 6.0 Base
VMware, Inc.vCloud Connector 2.6 Base
VMware, Inc.vCloud Director 5.5 Base, .1, .1.1, .1.2
VMware, Inc.vCloud Networking and Security (vCNS) 5.1 Base, .3 | 5.5 Base, .1
VMware, Inc.vCloud Usage Meter 3.3 Base, .1
VMware, Inc.vFabric Postgres 9.1.5 Base | 9.1.6 Base | 9.1.7 Base | 9.1.8 Base | 9.2.1 Base | 9.2.2 Base | 9.2.3 Base | 9.3 .5.0
VMware, Inc.VMware Application Dependency Planner 2.0 Base
VMware, Inc.VMware Data Recovery 2.0 Base, .1, .2, .3
VMware, Inc.VMware HealthAnalyzer 5.0 Base, .3
VMware, Inc.VMware Horizon Workspace 1.0 Base | 1.5 Base, .1, .2 | 1.8 Base, .1, .2 | 2.0 .0 | 2.1 .0
VMware, Inc.VMware Mirage 5.0 Base | 5.1 Base
VMware, Inc.VMware Studio 2.0 Base
VMware, Inc.VMWare View 3.0 Base, .1
VMware, Inc.VMware Workbench 3.0 Base, .1
VMware, Inc.VMware vCenter Site Recovery Manager 5.1 Base, .0.1, .1.1, .2, .2.1 | 5.5 Base, .1.2
VMware, Inc.vSphere App HA 1.1 Base
VMware, Inc.vSphere Big Data Extensions 2 Base
VMware, Inc.vSphere Data Protection 5 Base
VMware, Inc.vSphere Management Assistant 5.0 Base | 5.1 Base | 5.5 Base
VMware, Inc.vSphere Replication 5.1 .0.1, .2, .2.1 | 5.5 Base, .1, .1.2 | 5.8 Base
VMware, Inc.vSphere Storage Appliance 5.5 Base, .1
VMware, Inc.vCenter Server Appliance (vCSA) 5.0 Base, Patch 1 | 5.1 Base, Patch 1 | 5.5 Base



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield