ID CVE-2014-6277
Summary GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
References
Vulnerable Configurations
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.0
    cpe:2.3:a:gnu:bash:1.14.0
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.1
    cpe:2.3:a:gnu:bash:1.14.1
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.2
    cpe:2.3:a:gnu:bash:1.14.2
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.3
    cpe:2.3:a:gnu:bash:1.14.3
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.4
    cpe:2.3:a:gnu:bash:1.14.4
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.5
    cpe:2.3:a:gnu:bash:1.14.5
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.6
    cpe:2.3:a:gnu:bash:1.14.6
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.7
    cpe:2.3:a:gnu:bash:1.14.7
  • GNU Bourne-Again SHellbash (GNU Bash) 2.0
    cpe:2.3:a:gnu:bash:2.0
  • GNU Bourne-Again SHellbash (GNU Bash) 2.01
    cpe:2.3:a:gnu:bash:2.01
  • GNU Bourne-Again SHellbash (GNU Bash) 2.01.1
    cpe:2.3:a:gnu:bash:2.01.1
  • GNU Bourne-Again SHellbash (GNU Bash) 2.02
    cpe:2.3:a:gnu:bash:2.02
  • GNU Bourne-Again SHellbash (GNU Bash) 2.02.1
    cpe:2.3:a:gnu:bash:2.02.1
  • GNU Bourne-Again SHellbash (GNU Bash) 2.03
    cpe:2.3:a:gnu:bash:2.03
  • GNU Bourne-Again SHellbash (GNU Bash) 2.04
    cpe:2.3:a:gnu:bash:2.04
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05
    cpe:2.3:a:gnu:bash:2.05
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05a
    cpe:2.3:a:gnu:bash:2.05:a
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05b
    cpe:2.3:a:gnu:bash:2.05:b
  • GNU Bourne-Again SHellbash (GNU Bash) 3.0
    cpe:2.3:a:gnu:bash:3.0
  • GNU Bourne-Again SHellbash (GNU Bash) 3.0.16
    cpe:2.3:a:gnu:bash:3.0.16
  • GNU Bourne-Again SHellbash (GNU Bash) 3.1
    cpe:2.3:a:gnu:bash:3.1
  • GNU Bourne-Again SHellbash (GNU Bash) 3.2
    cpe:2.3:a:gnu:bash:3.2
  • GNU Bourne-Again SHellbash (GNU Bash) 3.2.48
    cpe:2.3:a:gnu:bash:3.2.48
  • GNU Bourne-Again SHellbash (GNU Bash) 4.0
    cpe:2.3:a:gnu:bash:4.0
  • GNU Bourne-Again SHellbash (GNU Bash) 4.0 release candidate 1
    cpe:2.3:a:gnu:bash:4.0:rc1
  • GNU Bourne-Again SHellbash (GNU Bash) 4.1
    cpe:2.3:a:gnu:bash:4.1
  • GNU Bourne-Again SHellbash (GNU Bash) 4.2
    cpe:2.3:a:gnu:bash:4.2
  • GNU Bourne-Again SHellbash (GNU Bash) 4.3
    cpe:2.3:a:gnu:bash:4.3
CVSS
Base: 10.0 (as of 28-06-2016 - 13:25)
Impact:
Exploitability:
CWE CWE-78
CAPEC
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description GNU bash 4.3.11 Environment Variable dhclient Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-6277,CVE-2014-62771,CVE-2014-6278,CVE-2014-7169,CVE...
id EDB-ID:34860
last seen 2016-02-04
modified 2014-10-02
published 2014-10-02
reporter @0x00string
source https://www.exploit-db.com/download/34860/
title GNU bash 4.3.11 Environment Variable dhclient Exploit
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_10_2.NASL
    description The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.2. This update contains several security-related fixes for the following components : - bash - Bluetooth - CFNetwork Cache - CommerceKit Framework - CoreGraphics - CoreSymbolication - CPU Software - FontParser - Foundation - Intel Graphics Driver - IOAcceleratorFamily - IOHIDFamily - IOKit - IOUSBFamily - Kernel - LaunchServices - libnetcore - LoginWindow - lukemftp - OpenSSL - Safari - SceneKit - Security - security_taskgate - Spotlight - SpotlightIndex - sysmond - UserAccountUpdater Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 81087
    published 2015-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81087
    title Mac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-3093.NASL
    description Description of changes: [4.1.2-29.0.1] - Fix segfaults from CVE-2014-6277 and CVE-2014-6278 completely. [orabug 19905294]
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 79375
    published 2014-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79375
    title Oracle Linux 6 : bash (ELSA-2014-3093) (Shellshock)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2014-0010.NASL
    description a. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 to these issues. VMware products have been grouped into the following four product categories : I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. For several products, both a patch and a product update are available. In general, if a patch is made available, the patch must be applied to the latest version of the appliance. Customers should refer to the specific product Knowledge Base articles listed in Section 4 to understand the type of remediation available and applicable appliance version numbers. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor =================================
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 78025
    published 2014-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78025
    title VMSA-2014-0010 : VMware product updates address critical Bash security vulnerabilities (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_WORKSPACE_PORTAL_VMSA2014-0010.NASL
    description The version of VMware Workspace Portal (formerly known as VMware Horizon Workspace) installed on the remote host is missing package updates. It is, therefore, affected by the following vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. By sending a specially crafted request to a CGI script that passes environment variables, a remote, unauthenticated attacker can execute arbitrary code on the host. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169) - An out-of-bounds memory access error exists due to improper redirection implementation in the 'parse.y' source file. A remote attacker can exploit this issue to cause a denial of service or potentially execute arbitrary code. (CVE-2014-7186) - An off-by-one error exists in the 'read_token_word' function in the 'parse.y' source file. A remote attacker can exploit this issue to cause a denial of service or potentially execute arbitrary code. (CVE-2014-7187)
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 78857
    published 2014-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78857
    title VMware Workspace Portal Multiple Bash Shell Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL15629.NASL
    description GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 78197
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78197
    title F5 Networks BIG-IP : Multiple GNU Bash vulnerabilities (SOL15629) (Shellshock)
  • NASL family CISCO
    NASL id CISCO-SA-CSCUR01959-ASA-CX.NASL
    description The remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 78827
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78827
    title Cisco ASA Next-Generation Firewall GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2872-1.NASL
    description This update for bash fixes the following issues : - CVE-2016-7543: Local attackers could have executed arbitrary commands via specially crafted SHELLOPTS+PS4 variables (bsc#1001299) - CVE-2016-0634: Malicious hostnames could have allowed arbitrary command execution when $HOSTNAME was expanded in the prompt (bsc#1000396) - CVE-2014-6277: More troubles with functions (bsc#898812, bsc#1001759) - CVE-2014-6278: Code execution after original 6271 fix (bsc#898884) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 95282
    published 2016-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95282
    title SUSE SLED12 / SLES12 Security Update : bash (SUSE-SU-2016:2872-1) (Shellshock)
  • NASL family CGI abuses
    NASL id CISCO-SA-CSCUR01959-PRSM.NASL
    description According to its self-reported version number, the version of Cisco Prime Security Manager installed on the remote host is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 78828
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78828
    title Cisco Prime Security Manager GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_NSX_VMSA_2014_0010.NASL
    description The version of VMware NSX installed on the remote host is 4.x prior to 4.0.5 / 4.1.4 / 4.2.1 or 6.x prior to 6.0.7 / 6.1.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 78826
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78826
    title VMware NSX Bash Environment Variable Command Injection (VMSA-2014-0010) (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_VSPHERE_REPLICATION_VMSA_2014_0010.NASL
    description The VMware vSphere Replication installed on the remote host is version 5.1.x prior to 5.1.2.2, 5.5.x prior to 5.5.1.3, 5.6.x prior to 5.6.0.2, or 5.8.x prior to 5.8.0.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 78771
    published 2014-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78771
    title VMware vSphere Replication Bash Environment Variable Command Injection Vulnerability (VMSA-2014-0010) (Shellshock)
  • NASL family CISCO
    NASL id CISCO_CUPS_CSCUR05454.NASL
    description According to its self-reported version, the CUCM IM and Presence Service installed on the remote host contains a version of GNU Bash that is affected by a command injection vulnerability known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 79124
    published 2014-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79124
    title CUCM IM and Presence Service GNU Bash Environment Variable Handling Command Injection (CSCur05454) (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1374.NASL
    description This update for bash fixes the following issues : - CVE-2016-7543: Local attackers could have executed arbitrary commands via specially crafted SHELLOPTS+PS4 variables (bsc#1001299) - CVE-2016-0634: Malicious hostnames could have allowed arbitrary command execution when $HOSTNAME was expanded in the prompt (bsc#1000396) - CVE-2014-6277: More troubles with functions (bsc#898812, bsc#1001759) - CVE-2014-6278: Code execution after original 6271 fix (bsc#898884) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2017-01-24
    plugin id 95529
    published 2016-12-05
    reporter Tenable
    sou