The Cisco Product Security Incident Response Team (PSIRT) is currently investigating if any Cisco products are affected by this vulnerability. Any updates specifically related to Cisco products will be communicated according to the Cisco Security Vulnerability Policy. Continue to monitor this Event Response Page for the latest information. The following Cisco content is associated with this Event Response Page:
The GNU Bash Environment Variable Command Injection Vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2014-6271, and due to an incomplete fix, CVE-2014-7169 has also been assigned.
A vulnerability in GNU Bash could allow an unauthenticated, remote attacker to inject arbitrary commands.
Cisco Security Analysis
GNU Bash versions through 4.3 process trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi, and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Impact on Cisco Products
The Cisco Product Security Incident Response Team (PSIRT) is currently investigating if any Cisco products are affected by this vulnerability. Any updates specifically related to Cisco products will be communicated according to the Cisco Security Vulnerability Policy.
The Cisco Computer Security Incident Response Team (CSIRT) is investigating Cisco public-facing infrastructure that could be susceptible to this vulnerability to facilitate its remediation.
IOS Zone-Based and User-Based Firewall
Application Layer Protocol Inspection on Cisco ASA
Effective use of Cisco Sourcefire Next-Generation Intrusion Prevention System (NGIPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability. The Sourcefire Snort SIDs for this vulnerability are 1:31975 through 1:31978. Talos has added coverage for this vulnerability in the 2014-09-24 release.
Effective use of Cisco Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability. The corresponding Signature IDs for Cisco IPS, written for the vulnerability, are 4689/0, 4689/1, 4689/2, and 4689/3 which are included as part of Cisco IPS Signature Update Package S824 (September 24, 2014).
Administrators can configure IPS sensors to perform an event action when an attack is detected. The configured event action performs preventive or deterrent controls to help protect against an attack that is attempting to exploit the GNU Bash Environment Variable Command Injection Vulnerability. An IPS device that is not placed inline and configured to drop malicious packets will only alert on attempts to exploit this vulnerability and will not prevent (mitigate) these attempts from becoming successful.
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.