Subject: ?Cp1252?Q?TA14-268A:_GNU_Bourne_Again_Shell_(Bash)_91Shells?
From: US-CERT <US-CERT@ncas.us-cert.gov>



National Cyber Awareness System:

TA14-268A: GNU Bourne Again Shell (Bash) 91Shellshock92 Vulnerability ( CVE-2014-6271,CVE-2014-7169) [ https://www.us-cert.gov/ncas/alerts/TA14-2
68A ] 09/25/2014 12:56 PM EDT
Original release date: September 25, 2014

Systems Affected

* GNU Bash through 4.3.
* Linux, BSD, and UNIX distributions including but not limited to:
* CentOS [ http://lists.centos.org/pipermail/centos/2014-September/1460 99.html ] 5 through 7
* Debian [ https://lists.debian.org/debian-security-announce/2014/msg00 220.html ]
* Mac OS X
* Red Hat Enterprise Linux 4 through 7
* Ubuntu [ http://www.ubuntu.com/usn/usn-2362-1/ ] 10.04 LTS, 12.04 LTS
, and 14.04 LTS

Overview

A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating s ystems and Apple92s Mac OS X. The flaw could allow an attacker to remote
ly execute shell commands by attaching malicious code in environment vari
ables used by the operating system [1] [ http://arstechnica.com/security/ 2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix- in-it/ ]. The United States Department of Homeland Security (DHS) is rele
asing this Technical Alert to provide further information about the GNU B
ash vulnerability.

Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands
placed after function definitions in the added environment variable, all
owing remote attackers to execute arbitrary code via a crafted environmen
t which enables network-based exploitation. [2 [ http://web.nvd.nist.gov/ view/vuln/detail?vulnId
CVE-2014-6271 ], 3 [ http://web.nvd.nist.gov/vi
ew/vuln/detail?vulnId
CVE-2014-7169 ]]

Critical instances where the vulnerability may be exposed include: [4 [ h ttps://access.redhat.com/security/cve/CVE-2014-6271 ], 5 [ http://securit yblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables- code-injection-attack/ ]]


* Apache HTTP Server using mod_cgi or mod_cgid scripts either written i
n bash, or spawn subshells.
* Override or Bypass ForceCommand feature in OpenSSH sshd and limited p rotection for some Git and Subversion deployments used to restrict shells
and allows arbitrary command execution capabilities.
* Allow arbitrary commands to run on a DHCP client machine, various Dae
mons and SUID/privileged programs.
* Exploit servers and other Unix and Linux devices via Web requests, se
cure shell, telnet sessions, or other programs that use Bash to execute s cripts.

Impact

This vulnerability is classified by industry standards as 93High94 impa
ct with CVSS Impact Subscore 10 and 93Low94 on complexity, which means
it takes little skill to perform. This flaw allows attackers to provide s pecially crafted environment variables containing arbitrary commands that
can be executed on vulnerable systems. It is especially dangerous becaus
e of the prevalent use of the Bash shell and its ability to be called by
an application in numerous ways.

Solution

Patches have been released to fix this vulnerability by major Linux vendo
rs for affected versions. Solutions for CVE-2014-6271 do not completely r esolve the vulnerability. It is advised to install existing patches and p
ay attention for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD vari
ants, and Apple Mac OS X include Bash and are likely to be affected. Cont
act your vendor for updated information. A list of vendors can be found i
n CERT Vulnerability Note VU#252743 [ http://www.kb.cert.org/vuls/id/2527
43 ] [6] [ http://www.kb.cert.org/vuls/id/252743 ].

US-CERT recommends system administrators review the vendor patches and th
e NIST Vulnerability Summary for CVE-2014-7169 [ http://web.nvd.nist.gov/ view/vuln/detail?vulnId
CVE-2014-7169 ], to mitigate damage caused by t
he exploit.

References

* Ars Technica, Bug in Bash shell creates big security hole on anything
with *nix in it; [ http://arstechnica.com/security/2014/09/bug-in-bash- shell-creates-big-security-hole-on-anything-with-nix-in-it/ ]
* DHS NCSD; Vulnerability Summary for CVE-2014-6271 [ http://web.nvd.ni st.gov/view/vuln/detail?vulnId
CVE-2014-6271 ]
* DHS NCSD; Vulnerability Summary for CVE-2014-7169 [ http://web.nvd.ni st.gov/view/vuln/detail?vulnId
CVE-2014-7169 ]
* Red Hat, CVE-2014-6271 [ https://access.redhat.com/security/cve/CVE- 2014-6271 ]
* Red Hat, Bash specially-crafted environment variables code injection
attack [ https://securityblog.redhat.com/2014/09/24/bash-specially-crafte d-environment-variables-code-injection-attack/ ]
* CERT Vulnerability Note VU#252743 [ http://www.kb.cert.org/vuls/id/25
2743 ]

Revision History

* September 25, 2014 - Initial Release ________________________________________________________________________

This email was sent to certecho@net396.fidonet.org using GovDelivery, onbehalf of: United States Computer Emergency Readiness Team (US-CERT) B7245 Murray Lane
SW Bldg 410 B7 Washington, DC 20598 B7 (703) 235-5110 P
owered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ]


-+-
+ Origin: FidoNet<>Internet Gateway -Huntsville AL- USA- (1:396/3)

=-=-=-=-=-=-=-= .END of Forwarded message =-=-=-=-=-=-=-=

--
Guardien Fide :^)

Ben aka cMech Web: http://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://users.lusfiber.net/~fido4cmech
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)