The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

threat alert CVE-2014-7169

bash: code execution via Function Variable

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Severity of this alert: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/09/2014.
Références of this alert: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, cisco-sa-20140926-bash, CTX200217, CTX200223, CVE-2014-3659-REJECT, CVE-2014-7169, DSA-3035-1, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, FEDORA-2014-11514, FEDORA-2014-11527, FEDORA-2014-12202, FG-IR-14-030, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2014:190, MDVSA-2015:164, openSUSE-SU-2014:1229-1, openSUSE-SU-2014:1242-1, openSUSE-SU-2014:1248-1, openSUSE-SU-2014:1308-1, openSUSE-SU-2014:1310-1, pfSense-SA-14_18.packages, RHSA-2014:1306-01, RHSA-2014:1311-01, RHSA-2014:1312-01, RHSA-2014:1354-01, RHSA-2014:1865-01, SB10085, sk102673, SOL15629, SSA:2014-268-01, SSA:2014-268-02, SSA-860967, SUSE-SU-2014:1247-1, SUSE-SU-2014:1247-2, T1021272, USN-2363-1, USN-2363-2, VIGILANCE-VUL-15401, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9, VN-2014-002.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The bulletin VIGILANCE-VUL-15399 describes a vulnerability of bash.

However, the offered patch (VIGILANCE-SOL-36695) is incomplete. An variant of the initial attack can thus still be used to execute code or to create a file.

In this case, the code is run when the variable is parsed (which is not necessarily an environment variable), and not when the shell starts. The impact may thus be lower, but this was not confirmed.

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

This computer vulnerability bulletin impacts software or systems such as Arkoon FAST360, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, Cisco ASR, Cisco ACE, ASA, IOS XE Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Secure ACS, Cisco CUCM, Cisco Unified CCX, XenServer, Clearswift Email Gateway, Clearswift Web Gateway, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiManager, FortiManager Virtual Appliance, HP Operations, AIX, IVE OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper UAC, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NGFW, McAfee Web Gateway, openSUSE, Solaris, pfSense, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, RHEL, RSA Authentication Manager, ROX, RuggedSwitch, Slackware, Stonesoft NGFW/VPN, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VMware vSphere.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 2 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this threat note.

Solutions for this threat

bash: patch for Function Variable.
A patch is available in information sources.

bash: workaround detecting the parenthesis curse prefix.
A workaround is to detect the pattern "() {":
 - use bash_ld_preload.c with LD_PRELOAD (to be tested on a test platform):
      gcc bash_ld_preload.c -fPIC -shared -Wl,-soname,bash_ld_preload.so.1 -o bash_ld_preload.so
      cp bash_ld_preload.so /lib/
      echo "/lib/bash_ld_preload.so" >> /etc/ld.so.preload
      vi /etc/init.d/httpd # to add:
        LD_PRELOAD=/lib/bash_ld_preload.so
        export LD_PRELOAD
      restart services
 - use mod_security:
      SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
      SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
      SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
      SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
      SecRule FILES_NAMES "^\(\) {" "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"
 - use iptables:
      iptables using -m string --hex-string '|28 29 20 7B|'

bash: workaround adding the BASH_FUNC_ prefix.
A workaround is to recompile bash to prefix the name of environment variables containing a function with "BASH_FUNC_".

AIX Toolbox for Linux: solution for bash.
The solution is indicated in information sources.

Arkoon Fast360: solution for bash.
An update will be available soon.

Check Point: solution for bash.
The solution is indicated in information sources.

Cisco: solution for bash.
The solution is indicated in information sources.

Citrix: solution for bash.
The solution is indicated in information sources.

Clearswift SECURE Email Gateway: version 3.8.3.
The version 3.8.3 is fixed:
  http://www.clearswift.net/

Clearswift SECURE Web Gateway: version 3.2.3.
The version 3.2.3 is fixed:
  http://www.clearswift.net/

Debian: new bash packages.
New packages are available:
  Debian 7: bash 4.2+dfsg-0.1+deb7u3

EMC: solution for bash.
The solution is indicated in information sources.

EMC Unisphere: solution for bash.
The solution is indicated in information sources.

Extreme Networks: solution for bash.
The solution is indicated in information sources.

F5 BIG-IP: solution for bash.
The solution is indicated in information sources.

Fedora: new bash packages.
New packages are available:
  Fedora 19: bash 4.2.48-2.fc19
  Fedora 20: bash 4.2.48-2.fc20

Fortinet: solution for bash.
The solution is indicated in information sources.

HP Operation Agent Virtual Appliance: patch for Bash.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01206384

HP Operations Analytics: patch for Bash.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01198565

Juniper NSM: upgrade package v3.
A patch is available:
  https://webdownload.juniper.net/swdl/dl/secure/site/1/record/56122.html
  https://webdownload.juniper.net/swdl/dl/secure/site/1/record/56123.html

Juniper: solution for bash.
The solution is indicated in information sources.

Mandriva BS2: new bash packages.
New packages are available:
  Mandriva BS2: bash 4.2-53.1.mbs2

Mandriva: new bash packages.
New packages are available:
  Mandriva BS1: bash 4.2-48.1.mbs1

McAfee: solution for bash.
The solution is indicated in information sources.

openSUSE 12.3: new bash packages.
New packages are available:
  openSUSE 12.3: bash 4.2-61.19.1
This package replaces the ones mentionned in the bulletins VIGILANCE-SOL-36803 et VIGILANCE-SOL-36804.

openSUSE 13.1: new bash packages.
New packages are available:
  openSUSE 13.1: bash 4.2-68.12.1
This package replaces the ones mentionned in the bulletins VIGILANCE-SOL-36803 et VIGILANCE-SOL-36804.

openSUSE: new bash packages.
New packages are available:
  openSUSE 12.3: bash 4.2-61.15.1
  openSUSE 13.1: bash 4.2-68.8.1

pfSense: new bash packages.
New packages are available, as indicated in information sources.

Polycom: solution for bash.
The solution is indicated in information sources.

RHEL: new bash packages (26/09/2014).
New packages are available:
  RHEL 5: bash 3.2-33.el5_11.4
  RHEL 6: bash 4.1.2-15.el6_5.2
  RHEL 7: bash 4.2.45-5.el7_0.4

RHEL: new bash packages (29/09/2014).
New packages are available, as indicated in information sources.

RHEV-M 3.4: new rhev-hypervisor6 packages.
New packages are available:
  RHEL 6: rhev-hypervisor6 6.5-20140930.1.el6ev

RSA Authentication Manager: solution for bash.
The solution is indicated in information sources.

Siemens ROX: solution for bash.
The solution is indicated in information sources.

Slackware: new bash packages.
New packages are available:
  Slackware 13.0: bash 3.1.018-i486-3_slack13.0
  Slackware 13.1: bash 4.1.012-i486-2_slack13.1
  Slackware 13.37: bash 4.1.012-i486-2_slack13.37
  Slackware 14.0: bash 4.2.048-i486-2_slack14.0
  Slackware 14.1: bash 4.2.048-i486-2_slack14.1

Solaris: patch for bash.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1930090.1
A patch is available:
  Solaris 11.2 : version 11.2.2.8.0
  Solaris 10 :
    SPARC: 126546-07
    X86: 126547-07
  Solaris 9
    SPARC: 149079-03
    X86: 149080-02

SUSE LE: new bash packages.
New packages are available:
  SUSE LE 10: bash 3.1-24.34.1
  SUSE LE 11: bash 3.2-147.22.1

Ubuntu: new bash packages.
New packages are available:
  Ubuntu 14.04 LTS: bash 4.3-7ubuntu1.3
  Ubuntu 12.04 LTS: bash 4.2-2ubuntu2.3
  Ubuntu 10.04 LTS: bash 4.1-2ubuntu3.2

VMware: solution for bash.
The solution is indicated in information sources.

Wind River Linux: new bash packages.
New packages are available:
  https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=044289
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities bulletin. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The technology watch team tracks security threats targeting the computer system.