ID CVE-2014-7186
Summary The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.
References
Vulnerable Configurations
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.0
    cpe:2.3:a:gnu:bash:1.14.0
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.1
    cpe:2.3:a:gnu:bash:1.14.1
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.2
    cpe:2.3:a:gnu:bash:1.14.2
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.3
    cpe:2.3:a:gnu:bash:1.14.3
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.4
    cpe:2.3:a:gnu:bash:1.14.4
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.5
    cpe:2.3:a:gnu:bash:1.14.5
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.6
    cpe:2.3:a:gnu:bash:1.14.6
  • GNU Bourne-Again SHellbash (GNU Bash) 1.14.7
    cpe:2.3:a:gnu:bash:1.14.7
  • GNU Bourne-Again SHellbash (GNU Bash) 2.0
    cpe:2.3:a:gnu:bash:2.0
  • GNU Bourne-Again SHellbash (GNU Bash) 2.01
    cpe:2.3:a:gnu:bash:2.01
  • GNU Bourne-Again SHellbash (GNU Bash) 2.01.1
    cpe:2.3:a:gnu:bash:2.01.1
  • GNU Bourne-Again SHellbash (GNU Bash) 2.02
    cpe:2.3:a:gnu:bash:2.02
  • GNU Bourne-Again SHellbash (GNU Bash) 2.02.1
    cpe:2.3:a:gnu:bash:2.02.1
  • GNU Bourne-Again SHellbash (GNU Bash) 2.03
    cpe:2.3:a:gnu:bash:2.03
  • GNU Bourne-Again SHellbash (GNU Bash) 2.04
    cpe:2.3:a:gnu:bash:2.04
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05
    cpe:2.3:a:gnu:bash:2.05
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05a
    cpe:2.3:a:gnu:bash:2.05:a
  • GNU Bourne-Again SHellbash (GNU Bash) 2.05b
    cpe:2.3:a:gnu:bash:2.05:b
  • GNU Bourne-Again SHellbash (GNU Bash) 3.0
    cpe:2.3:a:gnu:bash:3.0
  • GNU Bourne-Again SHellbash (GNU Bash) 3.0.16
    cpe:2.3:a:gnu:bash:3.0.16
  • GNU Bourne-Again SHellbash (GNU Bash) 3.1
    cpe:2.3:a:gnu:bash:3.1
  • GNU Bourne-Again SHellbash (GNU Bash) 3.2
    cpe:2.3:a:gnu:bash:3.2
  • GNU Bourne-Again SHellbash (GNU Bash) 3.2.48
    cpe:2.3:a:gnu:bash:3.2.48
  • GNU Bourne-Again SHellbash (GNU Bash) 4.0
    cpe:2.3:a:gnu:bash:4.0
  • GNU Bourne-Again SHellbash (GNU Bash) 4.0 release candidate 1
    cpe:2.3:a:gnu:bash:4.0:rc1
  • GNU Bourne-Again SHellbash (GNU Bash) 4.1
    cpe:2.3:a:gnu:bash:4.1
  • GNU Bourne-Again SHellbash (GNU Bash) 4.2
    cpe:2.3:a:gnu:bash:4.2
  • GNU Bourne-Again SHellbash (GNU Bash) 4.3
    cpe:2.3:a:gnu:bash:4.3
CVSS
Base: 10.0 (as of 28-06-2016 - 13:25)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description GNU bash 4.3.11 Environment Variable dhclient Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-6277,CVE-2014-62771,CVE-2014-6278,CVE-2014-7169,CVE...
id EDB-ID:34860
last seen 2016-02-04
modified 2014-10-02
published 2014-10-02
reporter @0x00string
source https://www.exploit-db.com/download/34860/
title GNU bash 4.3.11 Environment Variable dhclient Exploit
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-190.NASL
    description It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169, CVE-2014-7186, CVE-2014-7187). Additionally bash has been updated from patch level 37 to 48 using the upstream patches at ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/ which resolves various bugs.
    last seen 2018-09-01
    modified 2018-07-19
    plugin id 77950
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77950
    title Mandriva Linux Security Advisory : bash (MDVSA-2014:190)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-419.NASL
    description GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and this bulletin is a follow-up to ALAS-2014-418. It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash. Special notes : Because of the exceptional nature of this security event, we have backfilled our 2014.03, 2013.09, and 2013.03 Amazon Linux AMI repositories with new bash packages that also fix both CVE-2014-7169 and CVE-2014-6271 . For 2014.09 Amazon Linux AMIs, 'bash-4.1.2-15.21.amzn1' addresses both CVEs. Running 'yum clean all' followed by 'yum update bash' will install the fixed package. For Amazon Linux AMIs 'locked' to the 2014.03 repositories, 'bash-4.1.2-15.21.amzn1' also addresses both CVEs. Running 'yum clean all' followed by 'yum update bash' will install the fixed package. For Amazon Linux AMIs 'locked' to the 2013.09 or 2013.03 repositories, 'bash-4.1.2-15.18.22.amzn1' addresses both CVEs. Running 'yum clean all' followed by 'yum update bash' will install the fixed package. For Amazon Linux AMIs 'locked' to the 2012.09, 2012.03, or 2011.09 repositories, run 'yum clean all' followed by 'yum --releasever=2013.03 update bash' to install only the updated bash package. If you are using a pre-2011.09 Amazon Linux AMI, then you are using a version of the Amazon Linux AMI that was part of our public beta, and we encourage you to move to a newer version of the Amazon Linux AMI as soon as possible.
    last seen 2018-09-02
    modified 2018-04-19
    plugin id 78362
    published 2014-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78362
    title Amazon Linux AMI : bash (ALAS-2014-419)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2014-0010.NASL
    description a. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 to these issues. VMware products have been grouped into the following four product categories : I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. For several products, both a patch and a product update are available. In general, if a patch is made available, the patch must be applied to the latest version of the appliance. Customers should refer to the specific product Knowledge Base articles listed in Section 4 to understand the type of remediation available and applicable appliance version numbers. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor =================================
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 78025
    published 2014-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78025
    title VMSA-2014-0010 : VMware product updates address critical Bash security vulnerabilities (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-567.NASL
    description This patch was withdrawn by the openSUSE team, as the software was fixed prior to release. No replacement patches/plugins exist. bash was updated to fix command injection via environment variables. (CVE-2014-6271,CVE-2014-7169) Also a hardening patch was applied that only imports functions over BASH_FUNC_ prefixed environment variables. Also fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE documents and for loop issue
    last seen 2017-10-29
    modified 2015-11-03
    plugin id 78115
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78115
    title openSUSE Security Update : bash (openSUSE-SU-2014:1254-1) (deprecated)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_81E2B3084A6C11E4B7116805CA0B3D42.NASL
    description Best Practical reports : RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as 'Shellshock.' This vulnerability requires a privileged user with access to an RT instance running with SMIME integration enabled; it applies to both mod_perl and fastcgi deployments. If you have already taken upgrades to bash to resolve 'Shellshock,' you are protected from this vulnerability in RT, and there is no need to apply this patch. This vulnerability has been assigned CVE-2014-7227.
    last seen 2018-09-01
    modified 2015-12-03
    plugin id 78039
    published 2014-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78039
    title FreeBSD : rt42 -- vulnerabilities related to shellshock (81e2b308-4a6c-11e4-b711-6805ca0b3d42)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-563.NASL
    description The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and it is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_ . This hardening feature is work in progress and might be improved in later updates. Additionaly two more security issues were fixed in bash: CVE-2014-7186: Nested HERE documents could lead to a crash of bash. CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
    last seen 2018-09-01
    modified 2015-12-03
    plugin id 77966
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77966
    title openSUSE Security Update : bash (openSUSE-SU-2014:1229-1) (Shellshock)
  • NASL family CISCO
    NASL id CISCO_CUPS_CSCUR05454.NASL
    description According to its self-reported version, the CUCM IM and Presence Service installed on the remote host contains a version of GNU Bash that is affected by a command injection vulnerability known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-09-01
    modified 2018-07-06
    plugin id 79124
    published 2014-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79124
    title CUCM IM and Presence Service GNU Bash Environment Variable Handling Command Injection (CSCur05454) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_BASH_20141031_2.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka 'ShellShock.' NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278) - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169) - The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the 'redir_stack' issue. (CVE-2014-7186) - Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the 'word_lineno' issue. (CVE-2014-7187)
    last seen 2018-09-01
    modified 2016-02-04
    plugin id 88514
    published 2016-02-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88514
    title Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash1) (Shellshock)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_10_2.NASL
    description The remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.2. This update contains several security-related fixes for the following components : - bash - Bluetooth - CFNetwork Cache - CommerceKit Framework - CoreGraphics - CoreSymbolication - CPU Software - FontParser - Foundation - Intel Graphics Driver - IOAcceleratorFamily - IOHIDFamily - IOKit - IOUSBFamily - Kernel - LaunchServices - libnetcore - LoginWindow - lukemftp - OpenSSL - Safari - SceneKit - Security - security_taskgate - Spotlight - SpotlightIndex - sysmond - UserAccountUpdater Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2018-09-02
    modified 2018-07-14
    plugin id 81087
    published 2015-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81087
    title Mac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE)
  • NASL family Misc.
    NASL id VMWARE_WORKSPACE_PORTAL_VMSA2014-0010.NASL
    description The version of VMware Workspace Portal (formerly known as VMware Horizon Workspace) installed on the remote host is missing package updates. It is, therefore, affected by the following vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. By sending a specially crafted request to a CGI script that passes environment variables, a remote, unauthenticated attacker can execute arbitrary code on the host. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169) - An out-of-bounds memory access error exists due to improper redirection implementation in the 'parse.y' source file. A remote attacker can exploit this issue to cause a denial of service or potentially execute arbitrary code. (CVE-2014-7186) - An off-by-one error exists in the 'read_token_word' function in the 'parse.y' source file. A remote attacker can exploit this issue to cause a denial of service or potentially execute arbitrary code. (CVE-2014-7187)
    last seen 2018-09-02
    modified 2018-08-06
    plugin id 78857
    published 2014-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78857
    title VMware Workspace Portal Multiple Bash Shell Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-164.NASL
    description Updated bash packages fix security vulnerability : A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-6271). This vulnerability can be exposed and exploited through several other pieces of software and should be considered highly critical. Please refer to the RedHat Knowledge Base article and blog post for more information. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169). Bash has been updated to version 4.2 patch level 50, which further mitigates ShellShock-type vulnerabilities. Two such issues have already been discovered (CVE-2014-6277, CVE-2014-6278). See the RedHat article on the backward-incompatible changes introduced by the latest patch, caused by adding prefixes and suffixes to the variable names used for exporting functions. Note that the RedHat article mentions these variable names will have parentheses '()' at the end of their names, however, the latest upstream patch uses two percent signs '%%' at the end instead. Two other unrelated security issues in the parser have also been fixed in this update (CVE-2014-7186, CVE-2014-7187). All users and sysadmins are advised to update their bash package immediately.
    last seen 2018-09-01
    modified 2018-07-19
    plugin id 82417
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82417
    title Mandriva Linux Security Advisory : bash (MDVSA-2015:164)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1306.NASL
    description From Red Hat Security Advisory 2014:1306 : [Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update. No changes have been made to the original packages. Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use 'yum update' within their containers, and to commit the resulting changes. For additional information on CVE-2014-6271 and CVE-2014-7169, refer to the aforementioned Knowledgebase article. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2018-09-01
    modified 2018-07-26
    plugin id 77951
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77951
    title Oracle Linux 5 / 6 / 7 : bash (ELSA-2014-1306)
  • NASL family Misc.
    NASL id MCAFEE_NGFW_SB10085.NASL
    description The remote host has a version of McAfee Next Generation Firewall (NGFW) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-09-02
    modified 2018-07-14
    plugin id 79234
    published 2014-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79234
    title McAfee Next Generation Firewall GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_BASH-140926.NASL
    description The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances. (CVE-2014-7169) Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_. This hardening feature is work in progress and might be improved in later updates. Additionally, two other security issues have been fixed : - Nested HERE documents could lead to a crash of bash. (CVE-2014-7186) - Nesting of for loops could lead to a crash of bash. (CVE-2014-7187)
    last seen 2018-09-01
    modified 2016-12-21
    plugin id 77958
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77958
    title SuSE 11.3 Security Update : bash (SAT Patch Number 9780)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-564.NASL
    description The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169). Please note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and it is less serious due to the special, non-default system configuration that is needed to create an exploitable situation. To remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_ . This hardening feature is work in progress and might be improved in later updates. Additionaly two more security issues were fixed in bash: CVE-2014-7186: Nested HERE documents could lead to a crash of bash. CVE-2014-7187: Nesting of for loops could lead to a crash of bash.
    last seen 2018-09-01
    modified 2015-12-03
    plugin id 77967
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77967
    title openSUSE Security Update : bash (openSUSE-SU-2014:1242-1) (Shellshock)
  • NASL family CISCO
    NASL id CISCO-SA-CSCUR01959-ASA-CX.NASL
    description The remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-09-02
    modified 2018-07-06
    plugin id 78827
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78827
    title Cisco ASA Next-Generation Firewall GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)
  • NASL family Misc.
    NASL id MCAFEE_EMAIL_GATEWAY_SB10085.NASL
    description The remote host has a version of McAfee Email Gateway (MEG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-09-01
    modified 2018-07-14
    plugin id 79123
    published 2014-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79123
    title McAfee Email Gateway GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL family Misc.
    NASL id MCAFEE_WEB_GATEWAY_SB10085.NASL
    description The remote host has a version of McAfee Web Gateway (MWG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-09-02
    modified 2018-07-14
    plugin id 79215
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79215
    title McAfee Web Gateway GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1306.NASL
    description Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use 'yum update' within their containers, and to commit the resulting changes. For additional information on CVE-2014-6271 and CVE-2014-7169, refer to the aforementioned Knowledgebase article. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2018-09-01
    modified 2018-07-02
    plugin id 77879
    published 2014-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77879
    title CentOS 5 / 6 / 7 : bash (CESA-2014:1306)
  • NASL family Misc.
    NASL id VMWARE_VSPHERE_REPLICATION_VMSA_2014_0010.NASL
    description The VMware vSphere Replication installed on the remote host is version 5.1.x prior to 5.1.2.2, 5.5.x prior to 5.5.1.3, 5.6.x prior to 5.6.0.2, or 5.8.x prior to 5.8.0.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system
    last seen 2018-09-02
    modified 2018-08-06
    plugin id 78771
    published 2014-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78771
    title VMware vSphere Replication Bash Environment Variable Command Injection Vulnerability (VMSA-2014-0010) (Shellshock)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201410-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201410-01 (Bash: Multiple vulnerabilities) Florian Weimer, Todd Sabin, Michal Zalewski et al. discovered further parsing flaws in Bash. The unaffected Gentoo packages listed in this GLSA contain the official patches to fix the issues tracked as CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Furthermore, the official patch known as “function prefix patch” is included which prevents the exploitation of CVE-2014-6278. Impact : A remote attacker could exploit these vulnerabilities to execute arbitrary commands or cause a Denial of Service condition via various vectors. Workaround : There is no known workaround at this time.
    last seen 2018-09-02
    modified 2018-07-12
    plugin id 78060
    published 2014-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78060
    title GLSA-201410-01 : Bash: Multiple vulnerabilities (Shellshock)
  • NASL family Misc.
    NASL id IBM_STORWIZE_1_5_0_4.NASL
    description The remote IBM Storwize V7000 Unified device is running version 1.3.x prior to 1.4.3.5 or 1.5.x prior to 1.5.0.4. It is, therefore, affected by the following vulnerabilities : - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271) - An out-of-bounds memory access error exists in GNU Bash in file parse.y due to evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this, via a crafted 'here' document, to execute arbitrary code or cause a denial of service. (CVE-2014-7186) - An off-by-one error exists in GNU Bash in the read_token_word() function in file parse.y when handling deeply-nested flow control constructs. A remote attacker can exploit this, by using deeply nested loops, to execute arbitrary code or cause a denial of service. (CVE-2014-7187) - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6278) Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
    last seen 2018-09-01
    modified 2018-07-12
    plugin id 85630
    published 2015-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85630
    title IBM Storwize V7000 Unified 1.3.x < 1.4.3.5 / 1.5.x < 1.5.0.4 Multiple Vulnerabilities (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2014-0010.NASL
    description The version of VMware vCenter Server Appliance installed on the remote host is 5.0 prior to Update 3b, 5.1 prior to Update 2b, or 5.5 prior to Update 2a. It therefore contains a version of bash that is affected by a command injection vulnerability via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 78508
    published 2014-10-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78508
    title VMware vCenter Server Appliance Bash Remote Code Execution (VMSA-2014-0010) (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2014-0010_REMOTE.NASL
    description The remote VMware ESX host is affected by multiple vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278) - A out-of-bounds read error exists in the redirection implementation in file parse.y when evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this to cause a denial of service or possibly have other unspecified impact. (CVE-2014-7186) - An off-by-one overflow condition exists in the read_token_word() function in file parse.y when handling deeply nested flow control structures. A remote attacker can exploit this, by using deeply nested for-loops, to cause a denial of service or possibly execute arbitrary code. (CVE-2014-7187)
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 87680
    published 2015-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87680
    title VMware ESX Multiple Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family Misc.
    NASL id VMWARE_NSX_VMSA_2014_0010.NASL
    description The version of VMware NSX installed on the remote host is 4.x prior to 4.0.5 / 4.1.4 / 4.2.1 or 6.x prior to 6.0.7 / 6.1.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 78826
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78826
    title VMware NSX Bash Environment Variable Command Injection (VMSA-2014-0010) (Shellshock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1354.NASL
    description An updated rhev-hypervisor6 package that fixes several security issues is now available. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. (CVE-2014-1568) It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. (CVE-2014-7186) An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash. (CVE-2014-7187) Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters of CVE-2014-1568. The CVE-2014-7186 and CVE-2014-7187 issues were discovered by Florian Weimer of Red Hat Product Security. Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package.
    last seen 2018-09-14
    modified 2018-09-12
    plugin id 79053
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79053
    title RHEL 6 : rhev-hypervisor6 (RHSA-2014:1354) (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_BASH_2014_10_07.NASL
    description The remote Solaris system is missing necessary patches to address critical security updates related to 'Shellshock' : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, also known as 'Shellshock.' Note that the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278) - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have other unknown impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169) - The redirection implementation in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via crafted use of 'here' documents, also known as the 'redir_stack' issue. (CVE-2014-7186) - An off-by-one error in the 'read_token_word' function in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via deeply nested for-loops, also known as the 'word_lineno' issue. (CVE-2014-7187)
    last seen 2018-09-02
    modified 2018-07-30
    plugin id 78395
    published 2014-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78395
    title Oracle third party patch update : bash_2014_10_07
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL15629.NASL
    description GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
    last seen 2018-09-02
    modified 2018-07-10
    plugin id 78197
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78197
    title F5 Networks BIG-IP : Multiple GNU Bash vulnerabilities (SOL15629) (Shellshock)
  • NASL family CISCO
    NASL id CISCO_TELEPRESENCE_CONDUCTOR_CSCUR02103.NASL
    description According to its self-reported version number, remote Cisco TelePresence Conductor device is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. Note that an attacker must be authenticated before the device is exposed to this exploit.
    last seen 2018-09-02
    modified 2018-07-06
    plugin id 79584
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79584
    title Cisco TelePresence Conductor Bash Remote Code Execution (Shellshock)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_BASH_20141031.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka 'ShellShock.' NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271) - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278) - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169) - The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the 'redir_stack' issue. (CVE-2014-7186) - Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the 'word_lineno' issue. (CVE-2014-7187)
    last seen 2018-09-02
    modified 2016-02-02
    plugin id 80590
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80590
    title Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash) (Shellshock)
  • NASL family CGI abuses
    NASL id CISCO-SA-CSCUR01959-PRSM.NASL
    description According to its self-reported version number, the version of Cisco Prime Security Manager installed on the remote host is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-09-02
    modified 2018-06-14
    plugin id 78828
    published 2014-11-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78828
    title Cisco Prime Security Manager GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_11.NASL
    description The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2018-09-02
    modified 2018-07-14
    plugin id 86270
    published 2015-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86270
    title Mac OS X < 10.11 Multiple Vulnerabilities (GHOST)
  • NASL family Junos Local Security Checks
    NASL id JUNIPER_SPACE_JSA10648.NASL
    description According to its self-reported version number, the remote Junos Space version is prior to 14.1R2, and may be affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-09-01
    modified 2018-07-12
    plugin id 80196
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80196
    title Juniper Junos Space GNU Bash Command Injection Vulnerability (JSA10648) (Shellshock)
  • NASL family CISCO
    NASL id CISCO_TELEPRESENCE_VCS_CSCUR01461.NASL
    description According to its self-reported version number, the version of Cisco TelePresence Video Communication Server is affected by a command injection vulnerability known as Shellshock in its included GNU Bash shell. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. The API over HTTP(S) and/or SSH can therefore be exploited. An attacker must be authenticated before the system is exposed to this exploit.
    last seen 2018-09-01
    modified 2018-07-06
    plugin id 78596
    published 2014-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78596
    title Cisco TelePresence Video Communication Server Bash Remote Code Execution (Shellshock)
  • NASL family Misc.
    NASL id VCENTER_OPERATIONS_MANAGER_VMSA_2014-0010.NASL
    description The version of VMware vCenter Operations Manager installed on the remote host is prior to 5.7.3 / 5.8.3. It is, therefore, affected by the environmental variable command injection vulnerability known as 'Shellshock'.
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 78889
    published 2014-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78889
    title VMware vCenter Operations Management Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1306.NASL
    description [Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update. No changes have been made to the original packages. Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use 'yum update' within their containers, and to commit the resulting changes. For additional information on CVE-2014-6271 and CVE-2014-7169, refer to the aforementioned Knowledgebase article. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2018-10-18
    modified 2018-10-17
    plugin id 77895
    published 2014-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77895
    title RHEL 5 / 6 / 7 : bash (RHSA-2014:1306)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1311.NASL
    description [Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update. No changes have been made to the original packages. Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use 'yum update' within their containers, and to commit the resulting changes. For additional information on CVE-2014-6271 and CVE-2014-7169, refer to the aforementioned Knowledgebase article. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2018-09-14
    modified 2018-09-13
    plugin id 79052
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79052
    title RHEL 4 / 5 / 6 : bash (RHSA-2014:1311)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2364-1.NASL
    description Florian Weimer and Todd Sabin discovered that the Bash parser incorrectly handled memory. An attacker could possibly use this issue to bypass certain environment restrictions and execute arbitrary code. (CVE-2014-7186, CVE-2014-7187) In addition, this update introduces a hardening measure which adds prefixes and suffixes around environment variable names which contain shell functions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 77961
    published 2014-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77961
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : bash vulnerabilities (USN-2364-1)
  • NASL family Windows
    NASL id VMWARE_VCENTER_CONVERTER_2014-0010.NASL
    description The version of VMware vCenter Converter installed on the remote Windows host is 5.1.x prior to 5.1.2 or 5.5.x prior to 5.5.3. It is, therefore, affected by the following vulnerabilities : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. While this host is not directly impacted by Shellshock, the standalone Converter application does deploy a Helper VM during Linux P2V conversions. This Helper VM contains a vulnerable version of Bash. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) - A memory double-free error exists in 'd1_both.c' related to handling DTLS packets that allows denial of service attacks. (CVE-2014-3505) - An unspecified error exists in 'd1_both.c' related to handling DTLS handshake messages that allows denial of service attacks due to large amounts of memory being consumed. (CVE-2014-3506) - A memory leak error exists in 'd1_both.c' related to handling specially crafted DTLS packets that allows denial of service attacks. (CVE-2014-3507) - A NULL pointer dereference error exists related to handling anonymous ECDH cipher suites and crafted handshake messages that allows denial of service attacks against clients. (CVE-2014-3510)
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 79147
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79147
    title VMware vCenter Converter 5.1.x < 5.1.2 / 5.5.x < 5.5.3 Multiple Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4A4E9F88491C11E4AE2CC80AA9043978.NASL
    description RedHat security team reports : It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.
    last seen 2018-09-01
    modified 2015-10-05
    plugin id 78002
    published 2014-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78002
    title FreeBSD : bash -- out-of-bounds memory access in parser (4a4e9f88-491c-11e4-ae2c-c80aa9043978)
  • NASL family CISCO
    NASL id CISCO-SA-20140926-BASH-NXOS.NASL
    description According to its self-reported version, the remote NX-OS device is affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen 2018-09-01
    modified 2018-07-06
    plugin id 78693
    published 2014-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78693
    title Cisco NX-OS GNU Bash Environment Variable Command Injection Vulnerability (cisco-sa-20140926-bash) (Shellshock)
packetstorm via4
redhat via4
advisories
  • rhsa
    id RHSA-2014:1311
  • rhsa
    id RHSA-2014:1312
  • rhsa
    id RHSA-2014:1354
rpms
  • bash-0:4.1.2-15.el6_5.2
  • bash-doc-0:4.1.2-15.el6_5.2
  • bash-0:3.2-33.el5_11.4
  • bash-0:4.2.45-5.el7_0.4
  • bash-doc-0:4.2.45-5.el7_0.4
refmap via4
apple
  • APPLE-SA-2015-01-27-4
  • APPLE-SA-2015-09-30-3
bugtraq 20141001 NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities
cisco 20140926 GNU Bash Environment Variable Command Injection Vulnerability
confirm
fulldisc 20141001 FW: NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities
hp
  • HPSBGN03138
  • HPSBGN03141
  • HPSBGN03142
  • HPSBGN03233
  • HPSBHF03125
  • HPSBMU03143
  • HPSBMU03144
  • HPSBMU03165
  • HPSBMU03182
  • HPSBMU03217
  • HPSBMU03220
  • HPSBMU03236
  • HPSBMU03245
  • HPSBMU03246
  • HPSBOV03228
  • HPSBST03129
  • HPSBST03131
  • HPSBST03148
  • HPSBST03154
  • HPSBST03155
  • HPSBST03157
  • HPSBST03181
  • SSRT101711
  • SSRT101739
  • SSRT101742
  • SSRT101819
  • SSRT101827
  • SSRT101830
  • SSRT101868
jvn JVN#55667175
jvndb JVNDB-2014-000126
mandriva MDVSA-2015:164
misc
mlist
  • [oss-security] 20140925 Fwd: Non-upstream patches for bash
  • [oss-security] 20140926 Re: Fwd: Non-upstream patches for bash
  • [oss-security] 20140928 Re: CVE-2014-6271: remote code execution through bash
secunia
  • 58200
  • 59907
  • 60024
  • 60034
  • 60044
  • 60055
  • 60063
  • 60193
  • 60433
  • 61065
  • 61128
  • 61129
  • 61188
  • 61283
  • 61287
  • 61291
  • 61312
  • 61313
  • 61328
  • 61442
  • 61471
  • 61479
  • 61485
  • 61503
  • 61550
  • 61552
  • 61565
  • 61603
  • 61618
  • 61622
  • 61633
  • 61636
  • 61641
  • 61643
  • 61654
  • 61703
  • 61711
  • 61780
  • 61816
  • 61873
  • 62228
  • 62312
  • 62343
suse
  • SUSE-SU-2014:1247
  • SUSE-SU-2014:1259
  • openSUSE-SU-2014:1229
  • openSUSE-SU-2014:1242
  • openSUSE-SU-2014:1254
ubuntu USN-2364-1
vmware via4
description Bash libraries have been updated in multiple products to resolve multiple critical security issuesalso referred to as Shellshock.
id VMSA-2014-0010
last_updated 2014-10-17T00:00:00
published 2014-09-30T00:00:00
title Bash update for multiple products
workaround None
Last major update 02-01-2017 - 21:59
Published 28-09-2014 - 15:55
Last modified 09-10-2018 - 15:52
Back to Top