The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

cybersecurity weakness CVE-2014-6271

bash: code execution via Environment Variable, ShellShock

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Severity of this bulletin: 4/4.
Creation date: 24/09/2014.
Références of this threat: 1141597, 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-ALE-006, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, cisco-sa-20140926-bash, CTX200217, CTX200223, CVE-2014-6271, DSA-3032-1, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, FEDORA-2014-11360, FEDORA-2014-11503, FG-IR-14-030, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2014:186, MDVSA-2015:164, openSUSE-SU-2014:1226-1, openSUSE-SU-2014:1238-1, openSUSE-SU-2014:1308-1, openSUSE-SU-2014:1310-1, pfSense-SA-14_18.packages, RHSA-2014:1293-01, RHSA-2014:1294-01, RHSA-2014:1295-01, RHSA-2014:1354-01, SB10085, ShellShock, sk102673, SOL15629, SSA:2014-267-01, SSA-860967, SUSE-SU-2014:1212-1, SUSE-SU-2014:1213-1, SUSE-SU-2014:1214-1, SUSE-SU-2014:1223-1, T1021272, USN-2362-1, VIGILANCE-VUL-15399, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9, VN-2014-002, VU#252743.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

When bash interpreter is started, environment variables of the parent process are transfered to the current process. For example:
  export A=test
  bash
  echo $A

Functions can also be transfered through environment variables. For example:
  export F='() { echo bonjour; }'
  bash
  F

However, bash loads functions by interpreting the full environment variable. If an environment variable starts with "() {" and ends with "; command", then the command is run when the shell is started.

The main attack vectors are:
 - CGI scripts (Apache mod_cgi, mod_cgid) on a web server (variables: HTTP_header, REMOTE_HOST, SERVER_PROTOCOL)
 - OpenSSH via AcceptEnv (variables : TERM, ForceCommand avec SSH_ORIGINAL_COMMAND)

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

This security vulnerability impacts software or systems such as Arkoon FAST360, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, Cisco ASR, Cisco ACE, ASA, IOS XE Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Secure ACS, Cisco CUCM, Cisco Unified CCX, XenServer, Clearswift Email Gateway, Clearswift Web Gateway, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiManager, FortiManager Virtual Appliance, HP Operations, AIX, IVE OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper UAC, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NGFW, McAfee Web Gateway, openSUSE, Solaris, pfSense, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, RHEL, RSA Authentication Manager, ROX, RuggedSwitch, Slackware, Stonesoft NGFW/VPN, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VMware vSphere.

Our Vigil@nce team determined that the severity of this computer weakness bulletin is critical.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this security note.

Solutions for this threat

bash: patch for Environnement Variable.
A patch is available:
  http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
  http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
  http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
  http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
  http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
  http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
  http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025

bash: workaround detecting the parenthesis curse prefix.
A workaround is to detect the pattern "() {":
 - use bash_ld_preload.c with LD_PRELOAD (to be tested on a test platform):
      gcc bash_ld_preload.c -fPIC -shared -Wl,-soname,bash_ld_preload.so.1 -o bash_ld_preload.so
      cp bash_ld_preload.so /lib/
      echo "/lib/bash_ld_preload.so" >> /etc/ld.so.preload
      vi /etc/init.d/httpd # to add:
        LD_PRELOAD=/lib/bash_ld_preload.so
        export LD_PRELOAD
      restart services
 - use mod_security:
      SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
      SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
      SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
      SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
      SecRule FILES_NAMES "^\(\) {" "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
 - use iptables:
      iptables using -m string --hex-string '|28 29 20 7B|'

bash: workaround adding the BASH_FUNC_ prefix.
A workaround is to recompile bash to prefix the name of environment variables containing a function with "BASH_FUNC_".

AIX Toolbox for Linux: solution for bash.
The solution is indicated in information sources.

Arkoon Fast360: solution for bash.
An update will be available soon.

Check Point: solution for bash.
The solution is indicated in information sources.

Cisco: solution for bash.
The solution is indicated in information sources.

Citrix: solution for bash.
The solution is indicated in information sources.

Clearswift SECURE Email Gateway: version 3.8.3.
The version 3.8.3 is fixed:
  http://www.clearswift.net/

Clearswift SECURE Web Gateway: version 3.2.3.
The version 3.2.3 is fixed:
  http://www.clearswift.net/

Debian: new bash packages.
New packages are available:
  Debian 7: bash 4.2+dfsg-0.1+deb7u1

EMC: solution for bash.
The solution is indicated in information sources.

EMC Unisphere: solution for bash.
The solution is indicated in information sources.

Extreme Networks: solution for bash.
The solution is indicated in information sources.

F5 BIG-IP: solution for bash.
The solution is indicated in information sources.

Fedora: new bash packages.
New packages are available:
  Fedora 19: bash 4.2.47-2.fc19
  Fedora 20: bash 4.2.47-4.fc20

Fortinet: solution for bash.
The solution is indicated in information sources.

HP Operation Agent Virtual Appliance: patch for Bash.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01206384

HP Operations Analytics: patch for Bash.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01198565

Juniper NSM: upgrade package v3.
A patch is available:
  https://webdownload.juniper.net/swdl/dl/secure/site/1/record/56122.html
  https://webdownload.juniper.net/swdl/dl/secure/site/1/record/56123.html

Juniper: solution for bash.
The solution is indicated in information sources.

Mandriva BS2: new bash packages.
New packages are available:
  Mandriva BS2: bash 4.2-53.1.mbs2

Mandriva: new bash packages.
New packages are available:
  Mandriva BS1: bash 4.2-6.2.mbs1

McAfee: solution for bash.
The solution is indicated in information sources.

openSUSE 12.3: new bash packages.
New packages are available:
  openSUSE 12.3: bash 4.2-61.19.1
This package replaces the ones mentionned in the bulletins VIGILANCE-SOL-36803 et VIGILANCE-SOL-36804.

openSUSE 13.1: new bash packages.
New packages are available:
  openSUSE 13.1: bash 4.2-68.12.1
This package replaces the ones mentionned in the bulletins VIGILANCE-SOL-36803 et VIGILANCE-SOL-36804.

openSUSE: new bash packages.
New packages are available:
  openSUSE 11.4: bash 4.1-20.31.1
  openSUSE 12.3: bash 4.2-61.9.1
  openSUSE 13.1: bash 4.2-68.4.1

pfSense: new bash packages.
New packages are available, as indicated in information sources.

Polycom: solution for bash.
The solution is indicated in information sources.

RHEL: new bash packages.
New packages are available:
  RHEL 4: bash 3.0-27.el4.2
  RHEL 5: bash 3.2-33.el5.1
  RHEL 6: bash 4.1.2-15.el6_5.1
  RHEL 7: bash 4.2.45-5.el7_0.2

RHEV-M 3.4: new rhev-hypervisor6 packages.
New packages are available:
  RHEL 6: rhev-hypervisor6 6.5-20140930.1.el6ev

RSA Authentication Manager: solution for bash.
The solution is indicated in information sources.

Siemens ROX: solution for bash.
The solution is indicated in information sources.

Slackware: new bash packages.
New packages are available:
  Slackware 13.0: bash 3.1.018-i486-1_slack13.0
  Slackware 13.1: bash 4.1.012-i486-1_slack13.1
  Slackware 13.37: bash 4.1.012-i486-1_slack13.37
  Slackware 14.0: bash 4.2.048-i486-1_slack14.0
  Slackware 14.1: bash 4.2.048-i486-1_slack14.1

Solaris: patch for bash.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1930090.1
A patch is available:
  Solaris 11.2 : version 11.2.2.8.0
  Solaris 10 :
    SPARC: 126546-07
    X86: 126547-07
  Solaris 9
    SPARC: 149079-03
    X86: 149080-02

SUSE LE 10 SP3: new bash packages.
New packages are available:
  SUSE LE 10: bash 3.1-24.32.1

SUSE LE: new bash packages.
New packages are available:
  SUSE LE 10: bash 3.1-24.32.1
  SUSE LE 11: bash 3.2-147.20.1

SUSE Manager 1.7 for SLE 11 SP2: new bash packages.
New packages are available:
  - SUSE Manager 1.7 for SLE 11 SP2: bash 3.2-147.14.20.1

Ubuntu: new bash packages.
New packages are available:
  Ubuntu 14.04 LTS: bash 4.3-7ubuntu1.1
  Ubuntu 12.04 LTS: bash 4.2-2ubuntu2.2
  Ubuntu 10.04 LTS: bash 4.1-2ubuntu3.1

VMware: solution for bash.
The solution is indicated in information sources.

Wind River Linux: new bash packages.
New packages are available:
  https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=044289
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a systems vulnerabilities note. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.