ID CVE-2014-6271
Summary GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
References
Vulnerable Configurations
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.0
    cpe:2.3:a:gnu:bash:1.14.0
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.1
    cpe:2.3:a:gnu:bash:1.14.1
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.2
    cpe:2.3:a:gnu:bash:1.14.2
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.3
    cpe:2.3:a:gnu:bash:1.14.3
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.4
    cpe:2.3:a:gnu:bash:1.14.4
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.5
    cpe:2.3:a:gnu:bash:1.14.5
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.6
    cpe:2.3:a:gnu:bash:1.14.6
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.7
    cpe:2.3:a:gnu:bash:1.14.7
  • GNU Bourne-Again SHellbash (GNU Bash) 2.0
    cpe:2.3:a:gnu:bash:2.0
  • GNU Bourne-Again SHellbash (GNU Bash) 2.01
    cpe:2.3:a:gnu:bash:2.01
  • GNU Bourne-Again SHellbash (GNU Bash) 2.01.1
    cpe:2.3:a:gnu:bash:2.01.1
  • GNU Bourne-Again SHellbash (GNU Bash) 2.02
    cpe:2.3:a:gnu:bash:2.02
  • GNU Bourne-Again SHellbash (GNU Bash) 2.02.1
    cpe:2.3:a:gnu:bash:2.02.1
  • GNU Bourne-Again SHellbash (GNU Bash) 2.03
    cpe:2.3:a:gnu:bash:2.03
  • GNU Bourne-Again SHellbash (GNU Bash) 2.04
    cpe:2.3:a:gnu:bash:2.04
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05
    cpe:2.3:a:gnu:bash:2.05
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05a
    cpe:2.3:a:gnu:bash:2.05:a
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05b
    cpe:2.3:a:gnu:bash:2.05:b
  • GNU Bourne-Again SHellbash (GNU Bash) 3.0
    cpe:2.3:a:gnu:bash:3.0
  • GNU Bourne-Again SHellbash (GNU Bash) 3.0.16
    cpe:2.3:a:gnu:bash:3.0.16
  • GNU Bourne-Again SHellbash (GNU Bash) 3.1
    cpe:2.3:a:gnu:bash:3.1
  • GNU Bourne-Again SHellbash (GNU Bash) 3.2
    cpe:2.3:a:gnu:bash:3.2
  • GNU Bourne-Again SHellbash (GNU Bash) 3.2.48
    cpe:2.3:a:gnu:bash:3.2.48
  • GNU Bourne-Again SHellbash (GNU Bash) 4.0
    cpe:2.3:a:gnu:bash:4.0
  • GNU Bourne-Again SHellbash (GNU Bash) 4.0 release candidate 1
    cpe:2.3:a:gnu:bash:4.0:rc1
  • GNU Bourne-Again SHellbash (GNU Bash) 4.1
    cpe:2.3:a:gnu:bash:4.1
  • GNU Bourne-Again SHellbash (GNU Bash) 4.2
    cpe:2.3:a:gnu:bash:4.2
  • GNU Bourne-Again SHellbash (GNU Bash) 4.3
    cpe:2.3:a:gnu:bash:4.3
CVSS
Base: 10.0 (as of 24-06-2016 - 12:25)
Impact:
Exploitability:
CWE CWE-78
CAPEC
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description GNU bash 4.3.11 Environment Variable dhclient Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-6277,CVE-2014-62771,CVE-2014-6278,CVE-2014-7169,CVE...
    id EDB-ID:34860
    last seen 2016-02-04
    modified 2014-10-02
    published 2014-10-02
    reporter @0x00string
    source https://www.exploit-db.com/download/34860/
    title GNU bash 4.3.11 Environment Variable dhclient Exploit
  • description Bash - CGI RCE (MSF) Shellshock Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-2014-7910. We...
    id EDB-ID:34895
    last seen 2016-02-04
    modified 2014-10-06
    published 2014-10-06
    reporter Fady Mohammed Osman
    source https://www.exploit-db.com/download/34895/
    title Bash - CGI RCE MSF Shellshock Exploit
  • description IPFire Bash Environment Variable Injection (Shellshock). CVE-2014-6271. Remote exploit for cgi platform
    file exploits/cgi/remote/39918.rb
    id EDB-ID:39918
    last seen 2016-06-11
    modified 2016-06-10
    platform cgi
    port 444
    published 2016-06-10
    reporter metasploit
    source https://www.exploit-db.com/download/39918/
    title IPFire Bash Environment Variable Injection Shellshock
    type remote
  • description GNU bash Environment Variable Command Injection (MSF). CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE...
    id EDB-ID:34777
    last seen 2016-02-03
    modified 2014-09-25
    published 2014-09-25
    reporter Shaun Colley
    source https://www.exploit-db.com/download/34777/
    title GNU bash Environment Variable Command Injection MSF
  • description GNU bash Environment Variable Command Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-2014-...
    id EDB-ID:34765
    last seen 2016-02-03
    modified 2014-09-25
    published 2014-09-25
    reporter Stephane Chazelas
    source https://www.exploit-db.com/download/34765/
    title GNU Bash - Environment Variable Command Injection ShellShock
  • description CUPS Filter Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-...
    id EDB-ID:35115
    last seen 2016-02-04
    modified 2014-10-29
    published 2014-10-29
    reporter metasploit
    source https://www.exploit-db.com/download/35115/
    title CUPS Filter Bash Environment Variable Code Injection
  • description IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-71...
    id EDB-ID:34839
    last seen 2016-02-04
    modified 2014-10-01
    published 2014-10-01
    reporter Claudio Viviani
    source https://www.exploit-db.com/download/34839/
    title IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection Exploit
  • description Qmail SMTP - Bash Environment Variable Injection (Metasploit). CVE-2014-6271. Remote exploit for Linux platform. Tags: Metasploit Framework
    file exploits/linux/remote/42938.rb
    id EDB-ID:42938
    last seen 2017-10-02
    modified 2017-10-02
    platform linux
    port
    published 2017-10-02
    reporter Exploit-DB
    source https://www.exploit-db.com/download/42938/
    title Qmail SMTP - Bash Environment Variable Injection (Metasploit)
    type remote
  • description QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,...
    id EDB-ID:36504
    last seen 2016-02-04
    modified 2015-03-26
    published 2015-03-26
    reporter Patrick Pellegrino
    source https://www.exploit-db.com/download/36504/
    title QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection
  • description OpenVPN 2.2.29 - ShellShock Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-2014-7910. Remote...
    file exploits/linux/remote/34879.txt
    id EDB-ID:34879
    last seen 2016-02-04
    modified 2014-10-04
    platform linux
    port
    published 2014-10-04
    reporter hobbily plunt
    source https://www.exploit-db.com/download/34879/
    title OpenVPN 2.2.29 - ShellShock Exploit
    type remote
  • description Cisco Unified Communications Manager - Multiple Vulnerabilities. CVE-2014-6271,CVE-2014-8008. Webapps exploits for multiple platform
    file exploits/multiple/webapps/37816.txt
    id EDB-ID:37816
    last seen 2016-02-04
    modified 2015-08-18
    platform multiple
    port
    published 2015-08-18
    reporter Bernhard Mueller
    source https://www.exploit-db.com/download/37816/
    title Cisco Unified Communications Manager - Multiple Vulnerabilities
    type webapps
  • description Advantech Switch Bash Environment Variable Code Injection (Shellshock). CVE-2014-6271,CVE-2014-7196. Remote exploit for cgi platform
    file exploits/cgi/remote/38849.rb
    id EDB-ID:38849
    last seen 2016-02-04
    modified 2015-12-02
    platform cgi
    port
    published 2015-12-02
    reporter metasploit
    source https://www.exploit-db.com/download/38849/
    title Advantech Switch Bash Environment Variable Code Injection Shellshock
    type remote
  • description RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock). CVE-2014-6271. Local exploit for Linux platform
    file exploits/linux/local/40938.py
    id EDB-ID:40938
    last seen 2016-12-19
    modified 2016-12-18
    platform linux
    port
    published 2016-12-18
    reporter Exploit-DB
    source https://www.exploit-db.com/download/40938/
    title RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock)
    type local
  • description Postfix SMTP - Shellshock Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-2014-7910. Remote e...
    id EDB-ID:34896
    last seen 2016-02-04
    modified 2014-10-06
    published 2014-10-06
    reporter Phil Blank
    source https://www.exploit-db.com/download/34896/
    title Postfix SMTP - Shellshock Exploit
  • description Pure-FTPd External Authentication Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7...
    id EDB-ID:34862
    last seen 2016-02-04
    modified 2014-10-02
    published 2014-10-02
    reporter metasploit
    source https://www.exploit-db.com/download/34862/
    title Pure-FTPd External Authentication Bash Environment Variable Code Injection
  • description Kemp Load Master 7.1.16 - Multiple Vulnerabilities. CVE-2014-3659,CVE-2014-3671,CVE-2014-5287,CVE-2014-5288,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-20...
    id EDB-ID:36609
    last seen 2016-02-04
    modified 2015-04-02
    published 2015-04-02
    reporter Roberto Suggi Liverani
    source https://www.exploit-db.com/download/36609/
    title Kemp Load Master 7.1.16 - Multiple Vulnerabilities
  • description TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock). CVE-2014-6271. Remote exploit for Hardware platform
    file exploits/hardware/remote/40619.py
    id EDB-ID:40619
    last seen 2016-10-21
    modified 2016-10-21
    platform hardware
    port
    published 2016-10-21
    reporter Hacker Fantastic
    source https://www.exploit-db.com/download/40619/
    title TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)
    type remote
  • description PHP 5.x Shellshock Exploit (bypass disable_functions). CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE...
    id EDB-ID:35146
    last seen 2016-02-04
    modified 2014-11-03
    published 2014-11-03
    reporter Ryan King (Starfall)
    source https://www.exploit-db.com/download/35146/
    title PHP 5.x Shellshock Exploit bypass disable_functions
  • description QNAP - Admin Shell via Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-201...
    id EDB-ID:36503
    last seen 2016-02-04
    modified 2015-03-26
    published 2015-03-26
    reporter Patrick Pellegrino
    source https://www.exploit-db.com/download/36503/
    title QNAP - Admin Shell via Bash Environment Variable Code Injection
  • description Bash - Environment Variables Code Injection Exploit (ShellShock). CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-20...
    id EDB-ID:34766
    last seen 2016-02-03
    modified 2014-09-25
    published 2014-09-25
    reporter Prakhar Prasad & Subho Halder
    source https://www.exploit-db.com/download/34766/
    title Bash - Environment Variables Code Injection Exploit ShellShock
metasploit via4
  • description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables. A valid username and password is required to exploit this vulnerability through CUPS.
    id MSF:EXPLOIT/MULTI/HTTP/CUPS_BASH_ENV_EXEC
    last seen 2018-05-24
    modified 2017-07-24
    published 2014-10-19
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cups_bash_env_exec.rb
    title CUPS Filter Bash Environment Variable Code Injection (Shellshock)
  • description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition.
    id MSF:EXPLOIT/MULTI/HTTP/APACHE_MOD_CGI_BASH_ENV_EXEC
    last seen 2018-04-27
    modified 2017-07-24
    published 2014-09-25
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
    title Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
  • description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the VMWare Fusion application, allowing an unprivileged local user to get root access.
    id MSF:EXPLOIT/OSX/LOCAL/VMWARE_BASH_FUNCTION_ROOT
    last seen 2018-06-13
    modified 2018-05-31
    published 2014-09-24
    reliability Normal
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb
    title OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
  • description This module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your CMD, set ExitOnSession false, run -j, and then run this module to create sessions on vulnerable hosts. Note that this is not the recommended method for obtaining shells. If you require sessions, please use the apache_mod_cgi_bash_env_exec exploit module instead.
    id MSF:AUXILIARY/SCANNER/HTTP/APACHE_MOD_CGI_BASH_ENV
    last seen 2018-06-01
    modified 2017-07-24
    published 2014-09-25
    reliability Normal
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
    title Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
  • description IPFire, a free linux based open source firewall distribution, version <= 2.15 Update Core 82 contains an authenticated remote command execution vulnerability via shellshock in the request headers.
    id MSF:EXPLOIT/LINUX/HTTP/IPFIRE_BASHBUG_EXEC
    last seen 2018-06-01
    modified 2017-07-24
    published 2016-05-30
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ipfire_bashbug_exec.rb
    title IPFire Bash Environment Variable Injection (Shellshock)
  • description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution.
    id MSF:AUXILIARY/SERVER/DHCLIENT_BASH_ENV
    last seen 2018-05-25
    modified 2017-07-24
    published 2014-09-26
    reliability Normal
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/dhclient_bash_env.rb
    title DHCP Client Bash Environment Variable Code Injection (Shellshock)
  • description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Due to length restrictions and the unusual networking scenario at the time of exploitation, this module achieves code execution by writing the payload into /etc/crontab and then cleaning it up after a session is created.
    id MSF:EXPLOIT/UNIX/DHCP/BASH_ENVIRONMENT
    last seen 2018-06-01
    modified 2017-07-24
    published 2014-09-26
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/dhcp/bash_environment.rb
    title Dhclient Bash Environment Variable Injection (Shellshock)
  • description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the Pure-FTPd FTP server when it has been compiled with the --with-extauth flag and an external Bash script is used for authentication. If the server is not set up this way, the exploit will fail, even if the version of Bash in use is vulnerable.
    id MSF:EXPLOIT/MULTI/FTP/PUREFTPD_BASH_ENV_EXEC
    last seen 2018-06-04
    modified 2017-07-24
    published 2014-10-01
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb
    title Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
  • description This module exploits a shellshock vulnerability on Qmail, a public domain MTA written in C that runs on Unix systems. Due to the lack of validation on the MAIL FROM field, it is possible to execute shell code on a system with a vulnerable BASH (Shellshock). This flaw works on the latest Qmail versions (qmail-1.03 and netqmail-1.06). However, in order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually admin@exampledomain.com). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed.
    id MSF:EXPLOIT/UNIX/SMTP/QMAIL_BASH_ENV_EXEC
    last seen 2018-05-19
    modified 2017-09-29
    published 2017-05-04
    reliability Normal
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/qmail_bash_env_exec.rb
    title Qmail SMTP Bash Environment Variable Injection (Shellshock)
  • description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the 'ping.sh' CGI script, accessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322_D1.98.
    id MSF:EXPLOIT/LINUX/HTTP/ADVANTECH_SWITCH_BASH_ENV_EXEC
    last seen 2018-05-24
    modified 2017-08-29
    published 2015-12-01
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb
    title Advantech Switch Bash Environment Variable Code Injection (Shellshock)
nessus via4
  • NASL family CISCO
    NASL id CISCO_CUPS_CSCUR05454.NASL
    description According to its self-reported version, the CUCM IM and Presence Service installed on the remote host contains a version of GNU Bash that is affected by a command injection vulnerability known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79124
    published 2014-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79124
    title CUCM IM and Presence Service GNU Bash Environment Variable Handling Command Injection (CSCur05454) (Shellshock)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SHELLSHOCK_UPDATE.NASL
    description The remote Mac OS X host has a version of Bash prior to 3.2.53(1)-release installed. It is, therefore, affected by a command injection vulnerability via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.
    last seen 2017-10-29
    modified 2017-05-30
    plugin id 77971
    published 2014-09-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77971
    title GNU Bash Local Environment Variable Handling Command Injection (Mac OS X) (Shellshock)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201409-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-201409-09 (Bash: Code Injection) Stephane Chazelas reported that Bash incorrectly handles function definitions, allowing attackers to inject arbitrary code. Impact : A remote attacker could exploit this vulnerability to execute arbitrary commands even in restricted environments. Workaround : There is no known workaround at this time.
    last seen 2017-10-29
    modified 2016-05-21
    plugin id 78059
    published 2014-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78059
    title GLSA-201409-09 : Bash: Code Injection (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_WORKSPACE_PORTAL_VMSA2014-0010.NASL
    description The version of VMware Workspace Portal (formerly known as VMware Horizon Workspace) installed on the remote host is missing package updates. It is, therefore, affected by the following vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. By sending a specially crafted request to a CGI script that passes environment variables, a remote, unauthenticated attacker can execute arbitrary code on the host. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169) - An out-of-bounds memory access error exists due to improper redirection implementation in the 'parse.y' source file. A remote attacker can exploit this issue to cause a denial of service or potentially execute arbitrary code. (CVE-2014-7186) - An off-by-one error exists in the 'read_token_word' function in the 'parse.y' source file. A remote attacker can exploit this issue to cause a denial of service or potentially execute arbitrary code. (CVE-2014-7187)
    last seen 2017-10-29
    modified 2017-06-12
    plugin id 78857
    published 2014-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78857
    title VMware Workspace Portal Multiple Bash Shell Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_149079-01.NASL
    description SunOS 5.9: bash patch. Date this patch was last updated by Oracle : Sep/26/14
    last seen 2017-10-29
    modified 2014-10-14
    plugin id 77911
    published 2014-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77911
    title Solaris 9 (sparc) : 149079-01
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-186.NASL
    description A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-6271).
    last seen 2017-10-29
    modified 2016-11-28
    plugin id 77843
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77843
    title Mandriva Linux Security Advisory : bash (MDVSA-2014:186)
  • NASL family Misc.
    NASL id VCENTER_OPERATIONS_MANAGER_VMSA_2014-0010.NASL
    description The version of VMware vCenter Operations Manager installed on the remote host is prior to 5.7.3 / 5.8.3. It is, therefore, affected by the environmental variable command injection vulnerability known as 'Shellshock'.
    last seen 2017-10-29
    modified 2016-11-29
    plugin id 78889
    published 2014-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78889
    title VMware vCenter Operations Management Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_126547.NASL
    description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Bash). The supported version that is affected is 10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data. This plugin has been deprecated and either replaced with individual 126547 patch-revision plugins, or deemed non-security related.
    last seen 2018-03-15
    modified 2018-03-12
    plugin id 62115
    published 2012-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62115
    title Solaris 10 (x86) : 126547-10 (deprecated)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1294.NASL
    description Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2017-01-09
    plugin id 79051
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79051
    title RHEL 5 / 6 : bash (RHSA-2014:1294) (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-567.NASL
    description This patch was withdrawn by the openSUSE team, as the software was fixed prior to release. No replacement patches/plugins exist. bash was updated to fix command injection via environment variables. (CVE-2014-6271,CVE-2014-7169) Also a hardening patch was applied that only imports functions over BASH_FUNC_ prefixed environment variables. Also fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE documents and for loop issue
    last seen 2017-10-29
    modified 2015-11-03
    plugin id 78115
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78115
    title openSUSE Security Update : bash (openSUSE-SU-2014:1254-1) (deprecated)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_126546-06.NASL
    description SunOS 5.10: bash patch. Date this patch was last updated by Oracle : Sep/26/14
    last seen 2017-10-29
    modified 2016-12-09
    plugin id 77913
    published 2014-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77913
    title Solaris 10 (sparc) : 126546-06
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_71AD81DA441411E4A33E3C970E169BC2.NASL
    description Chet Ramey reports : Under certain circumstances, bash will execute user code while processing the environment for exported function definitions. The original fix released for CVE-2014-6271 was not adequate. A similar vulnerability was discovered and tagged as CVE-2014-7169.
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 77836
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77836
    title FreeBSD : bash -- remote code execution vulnerability (71ad81da-4414-11e4-a33e-3c970e169bc2) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_BASH_20141031_2.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka 'ShellShock.' NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278) - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169) - The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the 'redir_stack' issue. (CVE-2014-7186) - Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the 'word_lineno' issue. (CVE-2014-7187)
    last seen 2017-10-29
    modified 2016-02-04
    plugin id 88514
    published 2016-02-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88514
    title Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash1) (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-559.NASL
    description bash was updated to fix a critical security issue, a minor security issue and bugs : In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Fixed a temporary file misuse in _rl_tropen (bnc#868822) Even if used only by developers to debug readline library do not open temporary files from public location without O_EXCL (CVE-2014-2524) Additional bugfixes : - Backported corrected german error message for a failing getpwd (bnc#895475) - Add bash upstream patch 47 to fix a problem where the function that shortens pathnames for $PS1 according to the value of $PROMPT_DIRTRIM uses memcpy on potentially-overlapping regions of memory, when it should use memmove. The result is garbled pathnames in prompt strings. - Add bash upstream patch 46 to fix a problem introduced by patch 32 a problem with '$@' and arrays expanding empty positional parameters or array elements when using substring expansion, pattern substitution, or case modfication. The empty parameters or array elements are removed instead of expanding to empty strings (''). - Add bash-4.2-strcpy.patch from upstream mailing list to patch collection tar ball to avoid when using \w in the prompt and changing the directory outside of HOME the a strcpy work on overlapping memory areas.
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 77846
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77846
    title openSUSE Security Update : bash (openSUSE-SU-2014:1226-1) (Shellshock)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2014-0010.NASL
    description a. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 to these issues. VMware products have been grouped into the following four product categories : I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. For several products, both a patch and a product update are available. In general, if a patch is made available, the patch must be applied to the latest version of the appliance. Customers should refer to the specific product Knowledge Base articles listed in Section 4 to understand the type of remediation available and applicable appliance version numbers. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor =================================
    last seen 2017-10-29
    modified 2016-08-16
    plugin id 78025
    published 2014-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78025
    title VMSA-2014-0010 : VMware product updates address critical Bash security vulnerabilities (Shellshock)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-11360.NASL
    description Disclosure - http://www.openwall.com/lists/oss-security/2014/09/24/10 Behaviour prior to patch : $ env x='() { :;}; echo OOPS' bash -c /usr/sbin/nologin OOPS This account is currently not available. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-21
    plugin id 77874
    published 2014-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77874
    title Fedora 20 : bash-4.2.47-4.fc20 (2014-11360)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-595.NASL
    description - Replace patches bash-4.2-heredoc-eof-delim.patch and bash-4.2-parse-exportfunc.patch with the official upstream patch levels bash42-052 and bash42-053 - Replace patch bash-4.2-CVE-2014-7187.patch with upstream patch level bash42-051 - Add patches bash-4.2-heredoc-eof-delim.patch for bsc#898812, CVE-2014-6277: more troubles with functions bash-4.2-parse-exportfunc.patch for bsc#898884, CVE-2014-6278: code execution after original 6271 fix - Make bash-4.2-extra-import-func.patch an optional patch due instruction - Remove and replace patches bash-4.2-CVE-2014-6271.patch bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch with bash upstream patch 48, patch 49, and patch 50 - Add patch bash-4.2-extra-import-func.patch which is based on the BSD patch of Christos. As further enhancements the option import-functions is mentioned in the manual page and a shopt switch is added to enable and disable import-functions on the fly
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 78591
    published 2014-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78591
    title openSUSE Security Update : bash (openSUSE-SU-2014:1310-1) (Shellshock)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-164.NASL
    description Updated bash packages fix security vulnerability : A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-6271). This vulnerability can be exposed and exploited through several other pieces of software and should be considered highly critical. Please refer to the RedHat Knowledge Base article and blog post for more information. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169). Bash has been updated to version 4.2 patch level 50, which further mitigates ShellShock-type vulnerabilities. Two such issues have already been discovered (CVE-2014-6277, CVE-2014-6278). See the RedHat article on the backward-incompatible changes introduced by the latest patch, caused by adding prefixes and suffixes to the variable names used for exporting functions. Note that the RedHat article mentions these variable names will have parentheses '()' at the end of their names, however, the latest upstream patch uses two percent signs '%%' at the end instead. Two other unrelated security issues in the parser have also been fixed in this update (CVE-2014-7186, CVE-2014-7187). All users and sysadmins are advised to update their bash package immediately.
    last seen 2017-10-29
    modified 2016-11-28
    plugin id 82417
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82417
    title Mandriva Linux Security Advisory : bash (MDVSA-2015:164)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-563.NASL
    description The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and it is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_ . This hardening feature is work in progress and might be improved in later updates. Additionaly two more security issues were fixed in bash: CVE-2014-7186: Nested HERE documents could lead to a crash of bash. CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 77966
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77966
    title openSUSE Security Update : bash (openSUSE-SU-2014:1229-1) (Shellshock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1354.NASL
    description An updated rhev-hypervisor6 package that fixes several security issues is now available. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. (CVE-2014-1568) It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. (CVE-2014-7186) An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash. (CVE-2014-7187) Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters of CVE-2014-1568. The CVE-2014-7186 and CVE-2014-7187 issues were discovered by Florian Weimer of Red Hat Product Security. Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package.
    last seen 2017-10-29
    modified 2017-01-09
    plugin id 79053
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79053
    title RHEL 6 : rhev-hypervisor6 (RHSA-2014:1354) (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_NSX_VMSA_2014_0010.NASL
    description The version of VMware NSX installed on the remote host is 4.x prior to 4.0.5 / 4.1.4 / 4.2.1 or 6.x prior to 6.0.7 / 6.1.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78826
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78826
    title VMware NSX Bash Environment Variable Command Injection (VMSA-2014-0010) (Shellshock)
  • NASL family SMTP problems
    NASL id SHELLSHOCK_MAIL_AGENTS.NASL
    description The remote host appears to be running a mail transfer or mail delivery agent such as Courier, Exim, Postfix, or Procmail. Many of these agents can be configured to run utility scripts for a diverse number of tasks including filtering, sorting, and delivering mail. These scripts may create the conditions that are exploitable, making the agent vulnerable to remote code execution via Shellshock. A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that the mail agent running on the system is not configured in such a way to allow remote execution via Shellshock.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78701
    published 2014-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78701
    title Mail Transfer Agent and Mail Delivery Agent Remote Command Execution via Shellshock
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-594.NASL
    description - Replace patches bash-4.2-heredoc-eof-delim.patch and bash-4.2-parse-exportfunc.patch with the official upstream patch levels bash42-052 and bash42-053 - Replace patch bash-4.2-CVE-2014-7187.patch with upstream patch level bash42-051 - Make bash-4.2-extra-import-func.patch an optional patch due instruction - Remove and replace patches bash-4.2-CVE-2014-6271.patch bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch with bash upstream patch 48, patch 49, and patch 50 - Add patch bash-4.2-extra-import-func.patch which is based on the BSD patch of Christos. As further enhancements the option import-functions is mentioned in the manual page and a shopt switch is added to enable and disable import-functions on the fly
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 78590
    published 2014-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78590
    title openSUSE Security Update : bash (openSUSE-SU-2014:1308-1) (Shellshock)
  • NASL family Misc.
    NASL id MCAFEE_NGFW_SB10085.NASL
    description The remote host has a version of McAfee Next Generation Firewall (NGFW) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79234
    published 2014-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79234
    title McAfee Next Generation Firewall GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2014-0010_REMOTE.NASL
    description The remote VMware ESX host is affected by multiple vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278) - A out-of-bounds read error exists in the redirection implementation in file parse.y when evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this to cause a denial of service or possibly have other unspecified impact. (CVE-2014-7186) - An off-by-one overflow condition exists in the read_token_word() function in file parse.y when handling deeply nested flow control structures. A remote attacker can exploit this, by using deeply nested for-loops, to cause a denial of service or possibly execute arbitrary code. (CVE-2014-7187)
    last seen 2017-10-29
    modified 2016-08-16
    plugin id 87680
    published 2015-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87680
    title VMware ESX Multiple Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_149080.NASL
    description SunOS 5.9_x86: bash patch. Date this patch was last updated by Sun : Sep/30/14
    last seen 2017-10-29
    modified 2016-12-09
    plugin id 78113
    published 2014-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78113
    title Solaris 9 (x86) : 149080-02
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1294.NASL
    description From Red Hat Security Advisory 2014:1294 : Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2016-05-07
    plugin id 77849
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77849
    title Oracle Linux 4 : bash (ELSA-2014-1294) (Shellshock)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-11527.NASL
    description This build should fix CVE-2014-7169 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-21
    plugin id 77941
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77941
    title Fedora 20 : bash-4.2.48-2.fc20 (2014-11527) (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_BASH-140926.NASL
    description The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances. (CVE-2014-7169) Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_. This hardening feature is work in progress and might be improved in later updates. Additionally, two other security issues have been fixed : - Nested HERE documents could lead to a crash of bash. (CVE-2014-7186) - Nesting of for loops could lead to a crash of bash. (CVE-2014-7187)
    last seen 2017-10-29
    modified 2016-12-21
    plugin id 77958
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77958
    title SuSE 11.3 Security Update : bash (SAT Patch Number 9780)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3032.NASL
    description Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell.
    last seen 2017-10-29
    modified 2014-09-26
    plugin id 77825
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77825
    title Debian DSA-3032-1 : bash - security update
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2362-1.NASL
    description Stephane Chazelas discovered that Bash incorrectly handled trailing code in function definitions. An attacker could use this issue to bypass environment restrictions, such as SSH forced command environments. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-08-16
    plugin id 77854
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77854
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : bash vulnerability (USN-2362-1) (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-564.NASL
    description The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and it is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_ . This hardening feature is work in progress and might be improved in later updates. Additionaly two more security issues were fixed in bash: CVE-2014-7186: Nested HERE documents could lead to a crash of bash. CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 77967
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77967
    title openSUSE Security Update : bash (openSUSE-SU-2014:1242-1) (Shellshock)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-11295.NASL
    description Disclosure - http://www.openwall.com/lists/oss-security/2014/09/24/10 Behaviour prior to patch : $ env x='() { :;}; echo OOPS' bash -c /usr/sbin/nologin OOPS This account is currently not available. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-21
    plugin id 77935
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77935
    title Fedora 21 : bash-4.3.22-3.fc21 (2014-11295) (Shellshock)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-418.NASL
    description This ALAS is superceded by ALAS-2014-419. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. We'd like to also give credit to our colleagues at Red Hat for their excellent blog post summarizing this issue. This ALAS is superceded by ALAS-2014-419.
    last seen 2018-04-26
    modified 2018-04-25
    plugin id 78361
    published 2014-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78361
    title Amazon Linux AMI : bash (ALAS-2014-418) (Shellshock)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140924_BASH_ON_SL5_X.NASL
    description A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to https://securityblog.redhat.com/2014/09/24/bash-specially crafted-environment-variables-code-injection-attack/
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 77865
    published 2014-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77865
    title Scientific Linux Security Update : bash on SL5.x, SL6.x i386/x86_64 (Shellshock)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1293.NASL
    description From Red Hat Security Advisory 2014:1293 : Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2016-05-07
    plugin id 77848
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77848
    title Oracle Linux 5 / 6 / 7 : bash (ELSA-2014-1293) (Shellshock)
  • NASL family CISCO
    NASL id CISCO_TELEPRESENCE_CONDUCTOR_CSCUR02103.NASL
    description According to its self-reported version number, remote Cisco TelePresence Conductor device is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. Note that an attacker must be authenticated before the device is exposed to this exploit.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79584
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79584
    title Cisco TelePresence Conductor Bash Remote Code Execution (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_BASH-140919.NASL
    description bash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271)
    last seen 2017-10-29
    modified 2016-12-21
    plugin id 77850
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77850
    title SuSE 11.3 Security Update : bash (SAT Patch Number 9740)
  • NASL family Misc.
    NASL id MCAFEE_WEB_GATEWAY_SB10085.NASL
    description The remote host has a version of McAfee Web Gateway (MWG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79215
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79215
    title McAfee Web Gateway GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL family CISCO
    NASL id CISCO-SA-CSCUR01959-ASA-CX.NASL
    description The remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78827
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78827
    title Cisco ASA Next-Generation Firewall GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_BASH_20141031.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka 'ShellShock.' NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278) - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169) - The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the 'redir_stack' issue. (CVE-2014-7186) - Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the 'word_lineno' issue. (CVE-2014-7187)
    last seen 2017-10-29
    modified 2016-02-02
    plugin id 80590
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80590
    title Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash) (Shellshock)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-11514.NASL
    description This build should fix CVE-2014-7169 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-21
    plugin id 77939
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77939
    title Fedora 19 : bash-4.2.48-2.fc19 (2014-11514) (Shellshock)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-11718.NASL
    description Fix for CVE-2014-7169 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-21
    plugin id 77945
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77945
    title Fedora 21 : bash-4.3.25-2.fc21 (2014-11718) (Shellshock)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-11503.NASL
    description Disclosure - http://www.openwall.com/lists/oss-security/2014/09/24/10 Behaviour prior to patch : $ env x='() { :;}; echo OOPS' bash -c /usr/sbin/nologin OOPS This account is currently not available. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-21
    plugin id 77876
    published 2014-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77876
    title Fedora 19 : bash-4.2.47-2.fc19 (2014-11503)
  • NASL family Gain a shell remotely
    NASL id BASH_REMOTE_CODE_EXECUTION.NASL
    description The remote host is running a version of Bash that is vulnerable to command injection via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.
    last seen 2018-05-17
    modified 2018-05-16
    plugin id 77823
    published 2014-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77823
    title Bash Remote Code Execution (Shellshock)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2014-267-01.NASL
    description New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
    last seen 2017-10-29
    modified 2016-05-13
    plugin id 77832
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77832
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : bash (SSA:2014-267-01) (Shellshock)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140926_BASH_ON_SL5_X.NASL
    description It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note: Docker users are advised to use 'yum update' within their containers, and to commit the resulting changes. For additional information on CVE-2014-6271 and CVE-2014-7169, refer to https://securityblog.redhat.com/2014/09/24/bash-specially crafted-environment-variables-code-injection-attack/
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 77956
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77956
    title Scientific Linux Security Update : bash on SL5.x, SL6.x i386/x86_64 (Shellshock)
  • NASL family General
    NASL id SHELLSHOCK_SIP_INVITE.NASL
    description The remote host appears to be running SIP. SIP itself is not vulnerable to Shellshock; however, any Bash script that SIP runs for filtering or other routing tasks could potentially be affected if the script exports an environmental variable from the content or headers of a SIP message. A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that any scripts the SIP proxy may be running do not create the conditions that are exploitable via the Shellshock flaw.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78822
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78822
    title SIP Script Remote Command Execution via Shellshock
  • NASL family Junos Local Security Checks
    NASL id JUNIPER_SPACE_JSA10648.NASL
    description According to its self-reported version number, the remote Junos Space version is prior to 14.1R2, and may be affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-05-16
    plugin id 80196
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80196
    title Juniper Junos Space GNU Bash Command Injection Vulnerability (JSA10648) (Shellshock)
  • NASL family SMTP problems
    NASL id SHELLSHOCK_QMAIL.NASL
    description The remote host appears to be running Qmail. A remote attacker can exploit Qmail to execute commands via a specially crafted MAIL FROM header if the remote host has a vulnerable version of Bash. This is due to the fact that Qmail does not properly sanitize input before setting environmental variables. A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that Qmail could not be used to exploit the Shellshock flaw.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 77970
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77970
    title Qmail Remote Command Execution via Shellshock
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_149080-01.NASL
    description SunOS 5.9_x86: bash patch. Date this patch was last updated by Oracle : Sep/26/14
    last seen 2017-10-29
    modified 2014-10-14
    plugin id 77912
    published 2014-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77912
    title Solaris 9 (x86) : 149080-01
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_81E2B3084A6C11E4B7116805CA0B3D42.NASL
    description Best Practical reports : RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as 'Shellshock.' This vulnerability requires a privileged user with access to an RT instance running with SMIME integration enabled; it applies to both mod_perl and fastcgi deployments. If you have already taken upgrades to bash to resolve 'Shellshock,' you are protected from this vulnerability in RT, and there is no need to apply this patch. This vulnerability has been assigned CVE-2014-7227.
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 78039
    published 2014-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78039
    title FreeBSD : rt42 -- vulnerabilities related to shellshock (81e2b308-4a6c-11e4-b711-6805ca0b3d42)
  • NASL family CISCO
    NASL id CISCO_TELEPRESENCE_VCS_CSCUR01461.NASL
    description According to its self-reported version number, the version of Cisco TelePresence Video Communication Server is affected by a command injection vulnerability known as Shellshock in its included GNU Bash shell. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. The API over HTTP(S) and/or SSH can therefore be exploited. An attacker must be authenticated before the system is exposed to this exploit.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78596
    published 2014-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78596
    title Cisco TelePresence Video Communication Server Bash Remote Code Execution (Shellshock)
  • NASL family CISCO
    NASL id CISCO_UCS_DIRECTOR_CSCUR02877.NASL
    description According to its self-reported version, the remote host is running a version of Cisco UCS Director that could be affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. Authentication on the system is required before this vulnerability can be exploited.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78770
    published 2014-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78770
    title Cisco UCS Director Code Injection (CSCur02877) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_126546.NASL
    description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Bash). The supported version that is affected is 10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data. This plugin has been deprecated and either replaced with individual 126546 patch-revision plugins, or deemed non-security related.
    last seen 2018-03-15
    modified 2018-03-12
    plugin id 62305
    published 2012-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62305
    title Solaris 10 (sparc) : 126546-10 (deprecated)
  • NASL family Misc.
    NASL id VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2014-0010.NASL
    description The version of VMware vCenter Server Appliance installed on the remote host is 5.0 prior to Update 3b, 5.1 prior to Update 2b, or 5.5 prior to Update 2a. It therefore contains a version of bash that is affected by a command injection vulnerability via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78508
    published 2014-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78508
    title VMware vCenter Server Appliance Bash Remote Code Execution (VMSA-2014-0010) (Shellshock)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2014-005.NASL
    description The remote host is running a version of Mac OS X 10.8 or 10.9 that does not have Security Update 2014-005 applied. This update contains several security-related fixes for the following issues : - A command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271, CVE-2014-7169) - A man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78551
    published 2014-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78551
    title Mac OS X Multiple Vulnerabilities (Security Update 2014-005) (POODLE) (Shellshock)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_10.NASL
    description The remote host is running a version of Mac OS X is prior to version 10.10. This update contains several security-related fixes for the following components : - 802.1X - AFP File Server - apache - App Sandbox - Bash - Bluetooth - Certificate Trust Policy - CFPreferences - CoreStorage - CUPS - Dock - fdesetup - iCloud Find My Mac - IOAcceleratorFamily - IOHIDFamily - IOKit - Kernel - LaunchServices - LoginWindow - Mail - MCX Desktop Config Profiles - NetFS Client Framework - QuickTime - Safari - Secure Transport - Security - Security - Code Signing Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78550
    published 2014-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78550
    title Mac OS X < 10.10 Multiple Vulnerabilities (POODLE) (Shellshock)
  • NASL family SMTP problems
    NASL id SHELLSHOCK_POSTFIX_FILTERS.NASL
    description The remote host appears to be running Postfix. Postfix itself is not vulnerable to Shellshock; however, any bash script Postfix runs for filtering or other tasks could potentially be affected if the script exports an environmental variable from the content or headers of a message. A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that any scripts Postfix may be running do not create the conditions that are exploitable via the Shellshock flaw.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 77969
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77969
    title Postfix Script Remote Command Execution via Shellshock
  • NASL family CISCO
    NASL id CISCO-SA-20140926-BASH-NXOS.NASL
    description According to its self-reported version, the remote NX-OS device is affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78693
    published 2014-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78693
    title Cisco NX-OS GNU Bash Environment Variable Command Injection Vulnerability (cisco-sa-20140926-bash) (Shellshock)
  • NASL family CGI abuses
    NASL id CISCO-SA-CSCUR01959-PRSM.NASL
    description According to its self-reported version number, the version of Cisco Prime Security Manager installed on the remote host is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-06-15
    modified 2018-06-14
    plugin id 78828
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78828
    title Cisco Prime Security Manager GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)
  • NASL family Windows
    NASL id VMWARE_VCENTER_CONVERTER_2014-0010.NASL
    description The version of VMware vCenter Converter installed on the remote Windows host is 5.1.x prior to 5.1.2 or 5.5.x prior to 5.5.3. It is, therefore, affected by the following vulnerabilities : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. While this host is not directly impacted by Shellshock, the standalone Converter application does deploy a Helper VM during Linux P2V conversions. This Helper VM contains a vulnerable version of Bash. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) - A memory double-free error exists in 'd1_both.c' related to handling DTLS packets that allows denial of service attacks. (CVE-2014-3505) - An unspecified error exists in 'd1_both.c' related to handling DTLS handshake messages that allows denial of service attacks due to large amounts of memory being consumed. (CVE-2014-3506) - A memory leak error exists in 'd1_both.c' related to handling specially crafted DTLS packets that allows denial of service attacks. (CVE-2014-3507) - A NULL pointer dereference error exists related to handling anonymous ECDH cipher suites and crafted handshake messages that allows denial of service attacks against clients. (CVE-2014-3510)
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79147
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79147
    title VMware vCenter Converter 5.1.x < 5.1.2 / 5.5.x < 5.5.3 Multiple Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family Misc.
    NASL id IBM_STORWIZE_1_5_0_4.NASL
    description The remote IBM Storwize V7000 Unified device is running version 1.3.x prior to 1.4.3.5 or 1.5.x prior to 1.5.0.4. It is, therefore, affected by the following vulnerabilities : - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271) - An out-of-bounds memory access error exists in GNU Bash in file parse.y due to evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this, via a crafted 'here' document, to execute arbitrary code or cause a denial of service. (CVE-2014-7186) - An off-by-one error exists in GNU Bash in the read_token_word() function in file parse.y when handling deeply-nested flow control constructs. A remote attacker can exploit this, by using deeply nested loops, to execute arbitrary code or cause a denial of service. (CVE-2014-7187) - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6278) Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 85630
    published 2015-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85630
    title IBM Storwize V7000 Unified 1.3.x < 1.4.3.5 / 1.5.x < 1.5.0.4 Multiple Vulnerabilities (Shellshock)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL15629.NASL
    description GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
    last seen 2017-10-29
    modified 2016-11-01
    plugin id 78197
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78197
    title F5 Networks BIG-IP : Multiple GNU Bash vulnerabilities (SOL15629) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_149079.NASL
    description SunOS 5.9: bash patch. Date this patch was last updated by Sun : Sep/30/14
    last seen 2017-10-29
    modified 2016-12-09
    plugin id 78112
    published 2014-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78112
    title Solaris 9 (sparc) : 149079-03
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1293.NASL
    description Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2017-01-09
    plugin id 77828
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77828
    title RHEL 5 / 6 / 7 : bash (RHSA-2014:1293) (Shellshock)
  • NASL family Firewalls
    NASL id CHECK_POINT_GAIA_SK102673.NASL
    description The remote host is running a version of Gaia OS which is affected by issues related to the SHELLSHOCK set of vulnerabilities in bash. An error in the bash functionality that evaluates specially formatted environment variables passed to it from another environment, which may result in remote code execution.
    last seen 2017-12-06
    modified 2017-12-06
    plugin id 104997
    published 2017-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104997
    title Check Point Gaia Operating Bash Code Injection (sk102673)(SHELLSHOCK)
  • NASL family Misc.
    NASL id MCAFEE_EMAIL_GATEWAY_SB10085.NASL
    description The remote host has a version of McAfee Email Gateway (MEG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 79123
    published 2014-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79123
    title McAfee Email Gateway GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL family FTP
    NASL id PROFTPD_BASH_INJECTION.NASL
    description The remote FTP server is affected by a remote code execution vulnerability due to an error in the Bash shell running on the remote host. A remote, unauthenticated attacker can execute arbitrary code on the remote host by sending a specially crafted request via the USER FTP command. The 'mod_exec' module exports the attacker-supplied username as an environment variable, which is then evaluated by Bash as code.
    last seen 2017-10-29
    modified 2017-06-19
    plugin id 77986
    published 2014-09-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77986
    title GNU Bash Environment Variable Handling Code Injection via ProFTPD (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_VSPHERE_REPLICATION_VMSA_2014_0010.NASL
    description The VMware vSphere Replication installed on the remote host is version 5.1.x prior to 5.1.2.2, 5.5.x prior to 5.5.1.3, 5.6.x prior to 5.6.0.2, or 5.8.x prior to 5.8.0.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78771
    published 2014-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78771
    title VMware vSphere Replication Bash Environment Variable Command Injection Vulnerability (VMSA-2014-0010) (Shellshock)
  • NASL family CGI abuses
    NASL id BASH_CVE_2014_6271_RCE.NASL
    description The remote web server is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-06-15
    modified 2018-06-14
    plugin id 77829
    published 2014-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77829
    title GNU Bash Environment Variable Handling Code Injection (Shellshock)
  • NASL family Palo Alto Local Security Checks
    NASL id PALO_ALTO_PAN-SA-2014-0004.NASL
    description The remote host is running a version of Palo Alto Networks PAN-OS prior to 5.0.15 / 5.1.10 / 6.0.6 / 6.1.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2017-10-29
    modified 2017-04-25
    plugin id 78587
    published 2014-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78587
    title Palo Alto Networks PAN-OS < 5.0.15 / 5.1.x < 5.1.10 / 6.0.x < 6.0.6 / 6.1.x < 6.1.1 Bash Shell Remote Code Execution (Shellshock)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1293.NASL
    description Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2015-12-03
    plugin id 77835
    published 2014-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77835
    title CentOS 5 / 6 / 7 : bash (CESA-2014:1293) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_BASH_2014_10_07.NASL
    description The remote Solaris system is missing necessary patches to address critical security updates related to 'Shellshock' : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, also known as 'Shellshock.' Note that the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278) - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have other unknown impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169) - The redirection implementation in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via crafted use of 'here' documents, also known as the 'redir_stack' issue. (CVE-2014-7186) - An off-by-one error in the 'read_token_word' function in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via deeply nested for-loops, also known as the 'word_lineno' issue. (CVE-2014-7187)
    last seen 2017-10-29
    modified 2017-01-05
    plugin id 78395
    published 2014-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78395
    title Oracle third party patch update : bash_2014_10_07
packetstorm via4
redhat via4
advisories
  • bugzilla
    id 1141597
    title CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands
    oval
    OR
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhsa:tst:20100842001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhsa:tst:20100842002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20100842003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20100842004
      • OR
        • AND
          • comment bash is earlier than 0:4.1.2-15.el6_5.1
            oval oval:com.redhat.rhsa:tst:20141293005
          • comment bash is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141293006
        • AND
          • comment bash-doc is earlier than 0:4.1.2-15.el6_5.1
            oval oval:com.redhat.rhsa:tst:20141293007
          • comment bash-doc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141293008
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhsa:tst:20070055001
      • comment bash is earlier than 0:3.2-33.el5.1
        oval oval:com.redhat.rhsa:tst:20141293010
      • comment bash is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhsa:tst:20111073003
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhsa:tst:20140675001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhsa:tst:20140675002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20140675003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20140675004
      • OR
        • AND
          • comment bash is earlier than 0:4.2.45-5.el7_0.2
            oval oval:com.redhat.rhsa:tst:20141293016
          • comment bash is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141293006
        • AND
          • comment bash-doc is earlier than 0:4.2.45-5.el7_0.2
            oval oval:com.redhat.rhsa:tst:20141293017
          • comment bash-doc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141293008
    rhsa
    id RHSA-2014:1293
    released 2014-09-24
    severity Critical
    title RHSA-2014:1293: bash security update (Critical)
  • rhsa
    id RHSA-2014:1294
  • rhsa
    id RHSA-2014:1295
  • rhsa
    id RHSA-2014:1354
rpms
  • bash-0:4.1.2-15.el6_5.1
  • bash-doc-0:4.1.2-15.el6_5.1
  • bash-0:3.2-33.el5.1
  • bash-0:4.2.45-5.el7_0.2
  • bash-doc-0:4.2.45-5.el7_0.2
refmap via4
apple APPLE-SA-2014-10-16-1
bid 70103
bugtraq 20141001 NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities
cert TA14-268A
cert-vn VU#252743
cisco 20140926 GNU Bash Environmental Variable Command Injection Vulnerability
confirm
debian DSA-3032
fulldisc 20141001 FW: NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities
hp
  • HPSBGN03117
  • HPSBGN03138
  • HPSBGN03141
  • HPSBGN03142
  • HPSBGN03233
  • HPSBHF03119
  • HPSBHF03124
  • HPSBHF03125
  • HPSBHF03145
  • HPSBHF03146
  • HPSBMU03133
  • HPSBMU03143
  • HPSBMU03144
  • HPSBMU03165
  • HPSBMU03182
  • HPSBMU03217
  • HPSBMU03220
  • HPSBMU03245
  • HPSBMU03246
  • HPSBOV03228
  • HPSBST03122
  • HPSBST03129
  • HPSBST03131
  • HPSBST03148
  • HPSBST03154
  • HPSBST03155
  • HPSBST03157
  • HPSBST03181
  • HPSBST03195
  • HPSBST03196
  • HPSBST03265
  • SSRT101711
  • SSRT101739
  • SSRT101742
  • SSRT101816
  • SSRT101819
  • SSRT101827
  • SSRT101868
jvn JVN#55667175
jvndb JVNDB-2014-000126
mandriva MDVSA-2015:164
misc
secunia
  • 58200
  • 59272
  • 59737
  • 59907
  • 60024
  • 60034
  • 60044
  • 60055
  • 60063
  • 60193
  • 60325
  • 60433
  • 60947
  • 61065
  • 61128
  • 61129
  • 61188
  • 61283
  • 61287
  • 61291
  • 61312
  • 61313
  • 61328
  • 61442
  • 61471
  • 61485
  • 61503
  • 61542
  • 61547
  • 61550
  • 61552
  • 61565
  • 61603
  • 61633
  • 61641
  • 61643
  • 61654
  • 61676
  • 61700
  • 61703
  • 61711
  • 61715
  • 61780
  • 61816
  • 61855
  • 61857
  • 61873
  • 62228
  • 62312
  • 62343
suse
  • SUSE-SU-2014:1212
  • SUSE-SU-2014:1213
  • SUSE-SU-2014:1223
  • SUSE-SU-2014:1260
  • SUSE-SU-2014:1287
  • openSUSE-SU-2014:1226
  • openSUSE-SU-2014:1238
  • openSUSE-SU-2014:1254
  • openSUSE-SU-2014:1308
  • openSUSE-SU-2014:1310
ubuntu USN-2362-1
saint via4
  • bid 70103
    description Bash Environment Variable Handling Shell Command Injection Via CUPS
    id shell_bash
    osvdb 112004
    title bash_shellshock_cups
    type remote
  • bid 70103
    description ShellShock DHCP Server
    osvdb 112004
    title ssdhcp
    type client
  • bid 70103
    description Bash environment variable code injection over HTTP
    id shell_bash
    osvdb 112004
    title bash_shellshock_http
    type remote
the hacker news via4
vmware via4
description Bash libraries have been updated in multiple products to resolve multiple critical security issuesalso referred to as Shellshock.
id VMSA-2014-0010
last_updated 2014-10-17T00:00:00
published 2014-09-30T00:00:00
title Bash update for multiple products
workaround None
Last major update 06-01-2017 - 22:00
Published 24-09-2014 - 14:48
Last modified 04-10-2017 - 21:29
Back to Top