GNU Bash Environment Variables Parsing OS Commands Injection Vulnerability


Description   A vulnerability has been discovered in GNU Bash, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error when handling a lookahead character while parsing environment variables and can be exploited to e.g. inject and execute arbitrary shell commands via a specially crafted environment variable value.
The vulnerability is confirmed in version 4.3 and reported in versions 3.0 through 4.2. Other versions may also be affected.
     
Vulnerable Products   Vulnerable Software:
GNU Bash 3.xGNU bash 4.x
     
Solution   Apply patch.
     
CVE   CVE-2014-7169
     
References   GNU Bash:
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026
http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-049
http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-013
http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-040
http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-053
http://ftp.gnu.org/gnu/bash/bash-3.1-patches/bash31-019
http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-018
http://ftp.gnu.org/gnu/bash/bash-2.05b-patches/bash205b-009
Tavis Ormandy:
http://twitter.com/taviso/statuses/514887394294652929
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
bash Shellshock dhcp vulnerability CVE-2014-6271
5.0.0
bash Shellshock web vulnerability CVE-2014-6271
5.0.0
bash Shellshock SIP vulnerability CVE-2014-6271
5.0.0
bash Shellshock ftp vulnerability CVE-2014-6271
5.0.0
bash Shellshock smtp vulnerability CVE-2014-6271
5.0.0
     


 
 
 
 
 Risk level 
High 

 Vulnerability First Public Report Date 
2014-09-30 

 Target Type 
Server 

 Possible exploit 
Remote