The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of bash: command execution in the function parser

Synthesis of the vulnerability

An attacker can define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Severity of this announce: 3/4.
Creation date: 29/09/2014.
Références of this computer vulnerability: 193355, 193866, 194029, 194064, 194669, 480931, c04475942, c04479492, CERTFR-2014-AVI-403, CERTFR-2014-AVI-415, CERTFR-2014-AVI-480, CTX200217, CTX200223, CVE-2014-6278, ESA-2014-111, ESA-2014-123, ESA-2014-124, ESA-2014-125, ESA-2014-126, ESA-2014-127, ESA-2014-128, ESA-2014-133, ESA-2014-136, ESA-2014-150, ESA-2014-151, ESA-2014-152, ESA-2014-162, HPSBGN03138, HPSBMU03144, JSA10648, JSA10661, MDVSA-2015:164, openSUSE-SU-2014:1310-1, openSUSE-SU-2016:2961-1, SB10085, sk102673, SOL15629, SSA:2014-272-01, SSA-860967, T1021272, USN-2380-1, VIGILANCE-VUL-15421, VMSA-2014-0010, VMSA-2014-0010.10, VMSA-2014-0010.11, VMSA-2014-0010.12, VMSA-2014-0010.13, VMSA-2014-0010.2, VMSA-2014-0010.4, VMSA-2014-0010.7, VMSA-2014-0010.8, VMSA-2014-0010.9.

Description of the vulnerability

The bash interpreter can use functions.

However, when bash parses the source code to create the function, it directly executes commands located at some places.

This vulnerability can be used with the same attack vector than VIGILANCE-VUL-15399.

An attacker can therefore define a special environment variable, which is transmitted (via CGI or OpenSSH for example) to bash, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

This security weakness impacts software or systems such as GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Smart-1, CheckPoint VSX-1, XenServer, Clearswift Email Gateway, Clearswift Web Gateway, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, HP Operations, AIX, IVE OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper UAC, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NGFW, McAfee Web Gateway, openSUSE, openSUSE Leap, Solaris, RSA Authentication Manager, ROX, RuggedSwitch, Slackware, Stonesoft NGFW/VPN, Ubuntu, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VMware vSphere.

Our Vigil@nce team determined that the severity of this threat bulletin is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this threat.

Solutions for this threat

bash: workaround adding the BASH_FUNC_ prefix.
A workaround is to recompile bash to prefix the name of environment variables containing a function with "BASH_FUNC_".

AIX Toolbox for Linux: solution for bash.
The solution is indicated in information sources.

Check Point: solution for bash.
The solution is indicated in information sources.

Citrix: solution for bash.
The solution is indicated in information sources.

Clearswift SECURE Email Gateway: version 3.8.3.
The version 3.8.3 is fixed:
  http://www.clearswift.net/

Clearswift SECURE Web Gateway: version 3.2.3.
The version 3.2.3 is fixed:
  http://www.clearswift.net/

EMC: solution for bash.
The solution is indicated in information sources.

EMC Unisphere: solution for bash.
The solution is indicated in information sources.

F5 BIG-IP: solution for bash.
The solution is indicated in information sources.

HP Operation Agent Virtual Appliance: patch for Bash.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01206384

HP Operations Analytics: patch for Bash.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01198565

Juniper NSM: upgrade package v3.
A patch is available:
  https://webdownload.juniper.net/swdl/dl/secure/site/1/record/56122.html
  https://webdownload.juniper.net/swdl/dl/secure/site/1/record/56123.html

Juniper: solution for bash.
The solution is indicated in information sources.

Mandriva BS2: new bash packages.
New packages are available:
  Mandriva BS2: bash 4.2-53.1.mbs2

McAfee: solution for bash.
The solution is indicated in information sources.

openSUSE 13.1: new bash packages.
New packages are available:
  openSUSE 13.1: bash 4.2-68.12.1
This package replaces the ones mentionned in the bulletins VIGILANCE-SOL-36803 et VIGILANCE-SOL-36804.

openSUSE Leap 42.1: new bash packages.
New packages are available:
  openSUSE Leap 42.1: bash 4.2-81.1

RSA Authentication Manager: solution for bash.
The solution is indicated in information sources.

Siemens ROX: solution for bash.
The solution is indicated in information sources.

Slackware: new bash packages.
New packages are available:
  Slackware 13.0: bash 3.1.020-i486-1_slack13.0
  Slackware 13.1: bash 4.1.014-i486-1_slack13.1
  Slackware 13.37: bash 4.1.014-i486-1_slack13.37
  Slackware 14.0: bash 4.2.050-i486-1_slack14.0
  Slackware 14.1: bash 4.2.050-i486-1_slack14.1

Solaris: patch for bash.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1930090.1
A patch is available:
  Solaris 11.2 : version 11.2.2.8.0
  Solaris 10 :
    SPARC: 126546-07
    X86: 126547-07
  Solaris 9
    SPARC: 149079-03
    X86: 149080-02

Ubuntu: new bash packages.
New packages are available:
  Ubuntu 14.04 LTS: bash 4.3-7ubuntu1.5
  Ubuntu 12.04 LTS: bash 4.2-2ubuntu2.6
  Ubuntu 10.04 LTS: bash 4.1-2ubuntu3.5

VMware: solution for bash.
The solution is indicated in information sources.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides systems vulnerabilities patches. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.