Vulnerabilities > CVE-2014-6271 - OS Command Injection vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
- Argument Injection An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Exploit-Db
description QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,... id EDB-ID:36504 last seen 2016-02-04 modified 2015-03-26 published 2015-03-26 reporter Patrick Pellegrino source https://www.exploit-db.com/download/36504/ title QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection description TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock). CVE-2014-6271. Remote exploit for Hardware platform file exploits/hardware/remote/40619.py id EDB-ID:40619 last seen 2016-10-21 modified 2016-10-21 platform hardware port published 2016-10-21 reporter Hacker Fantastic source https://www.exploit-db.com/download/40619/ title TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock) type remote description RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock). CVE-2014-6271. Local exploit for Linux platform file exploits/linux/local/40938.py id EDB-ID:40938 last seen 2016-12-19 modified 2016-12-18 platform linux port published 2016-12-18 reporter Exploit-DB source https://www.exploit-db.com/download/40938/ title RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock) type local description IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-71... id EDB-ID:34839 last seen 2016-02-04 modified 2014-10-01 published 2014-10-01 reporter Claudio Viviani source https://www.exploit-db.com/download/34839/ title IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection Exploit description Cisco Unified Communications Manager - Multiple Vulnerabilities. CVE-2014-6271,CVE-2014-8008. Webapps exploits for multiple platform file exploits/multiple/webapps/37816.txt id EDB-ID:37816 last seen 2016-02-04 modified 2015-08-18 platform multiple port published 2015-08-18 reporter Bernhard Mueller source https://www.exploit-db.com/download/37816/ title Cisco Unified Communications Manager - Multiple Vulnerabilities type webapps description Kemp Load Master 7.1.16 - Multiple Vulnerabilities. CVE-2014-3659,CVE-2014-3671,CVE-2014-5287,CVE-2014-5288,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-20... id EDB-ID:36609 last seen 2016-02-04 modified 2015-04-02 published 2015-04-02 reporter Roberto Suggi Liverani source https://www.exploit-db.com/download/36609/ title Kemp Load Master 7.1.16 - Multiple Vulnerabilities description IPFire Bash Environment Variable Injection (Shellshock). CVE-2014-6271. Remote exploit for cgi platform file exploits/cgi/remote/39918.rb id EDB-ID:39918 last seen 2016-06-11 modified 2016-06-10 platform cgi port 444 published 2016-06-10 reporter metasploit source https://www.exploit-db.com/download/39918/ title IPFire Bash Environment Variable Injection Shellshock type remote description GNU bash Environment Variable Command Injection (MSF). CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE... id EDB-ID:34777 last seen 2016-02-03 modified 2014-09-25 published 2014-09-25 reporter Shaun Colley source https://www.exploit-db.com/download/34777/ title GNU bash Environment Variable Command Injection MSF description Pure-FTPd External Authentication Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7... id EDB-ID:34862 last seen 2016-02-04 modified 2014-10-02 published 2014-10-02 reporter metasploit source https://www.exploit-db.com/download/34862/ title Pure-FTPd External Authentication Bash Environment Variable Code Injection description PHP 5.x Shellshock Exploit (bypass disable_functions). CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE... id EDB-ID:35146 last seen 2016-02-04 modified 2014-11-03 published 2014-11-03 reporter Ryan King (Starfall) source https://www.exploit-db.com/download/35146/ title PHP 5.x Shellshock Exploit bypass disable_functions description Advantech Switch Bash Environment Variable Code Injection (Shellshock). CVE-2014-6271,CVE-2014-7196. Remote exploit for cgi platform file exploits/cgi/remote/38849.rb id EDB-ID:38849 last seen 2016-02-04 modified 2015-12-02 platform cgi port published 2015-12-02 reporter metasploit source https://www.exploit-db.com/download/38849/ title Advantech Switch Bash Environment Variable Code Injection Shellshock type remote description Bash - CGI RCE (MSF) Shellshock Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-2014-7910. We... id EDB-ID:34895 last seen 2016-02-04 modified 2014-10-06 published 2014-10-06 reporter Fady Mohammed Osman source https://www.exploit-db.com/download/34895/ title Bash - CGI RCE MSF Shellshock Exploit description Qmail SMTP - Bash Environment Variable Injection (Metasploit). CVE-2014-6271. Remote exploit for Linux platform. Tags: Metasploit Framework file exploits/linux/remote/42938.rb id EDB-ID:42938 last seen 2017-10-02 modified 2017-10-02 platform linux port published 2017-10-02 reporter Exploit-DB source https://www.exploit-db.com/download/42938/ title Qmail SMTP - Bash Environment Variable Injection (Metasploit) type remote description Postfix SMTP - Shellshock Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-2014-7910. Remote e... id EDB-ID:34896 last seen 2016-02-04 modified 2014-10-06 published 2014-10-06 reporter Phil Blank source https://www.exploit-db.com/download/34896/ title Postfix SMTP - Shellshock Exploit description QNAP - Admin Shell via Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-201... id EDB-ID:36503 last seen 2016-02-04 modified 2015-03-26 published 2015-03-26 reporter Patrick Pellegrino source https://www.exploit-db.com/download/36503/ title QNAP - Admin Shell via Bash Environment Variable Code Injection description GNU bash Environment Variable Command Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-2014-... id EDB-ID:34765 last seen 2016-02-03 modified 2014-09-25 published 2014-09-25 reporter Stephane Chazelas source https://www.exploit-db.com/download/34765/ title GNU Bash - Environment Variable Command Injection ShellShock description OpenVPN 2.2.29 - ShellShock Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-2014-7910. Remote... file exploits/linux/remote/34879.txt id EDB-ID:34879 last seen 2016-02-04 modified 2014-10-04 platform linux port published 2014-10-04 reporter hobbily plunt source https://www.exploit-db.com/download/34879/ title OpenVPN 2.2.29 - ShellShock Exploit type remote description Bash - Environment Variables Code Injection Exploit (ShellShock). CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-20... id EDB-ID:34766 last seen 2016-02-03 modified 2014-09-25 published 2014-09-25 reporter Prakhar Prasad & Subho Halder source https://www.exploit-db.com/download/34766/ title Bash - Environment Variables Code Injection Exploit ShellShock description CUPS Filter Bash Environment Variable Code Injection. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-62771,CVE-2014-7169,CVE-2014-7196,CVE-2014-7227,CVE-... id EDB-ID:35115 last seen 2016-02-04 modified 2014-10-29 published 2014-10-29 reporter metasploit source https://www.exploit-db.com/download/35115/ title CUPS Filter Bash Environment Variable Code Injection description GNU bash 4.3.11 Environment Variable dhclient Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-6277,CVE-2014-62771,CVE-2014-6278,CVE-2014-7169,CVE... id EDB-ID:34860 last seen 2016-02-04 modified 2014-10-02 published 2014-10-02 reporter @0x00string source https://www.exploit-db.com/download/34860/ title GNU bash 4.3.11 Environment Variable dhclient Exploit
Metasploit
description This module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition. PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your CMD, set ExitOnSession false, run -j, and then run this module to create sessions on vulnerable hosts. Note that this is not the recommended method for obtaining shells. If you require sessions, please use the apache_mod_cgi_bash_env_exec exploit module instead. id MSF:AUXILIARY/SCANNER/HTTP/APACHE_MOD_CGI_BASH_ENV last seen 2020-05-28 modified 2018-11-16 published 2014-09-25 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb title Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the 'ping.sh' CGI script, accessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322_D1.98. id MSF:EXPLOIT/LINUX/HTTP/ADVANTECH_SWITCH_BASH_ENV_EXEC last seen 2020-06-07 modified 2020-02-18 published 2015-12-01 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/advantech_switch_bash_env_exec.rb title Advantech Switch Bash Environment Variable Code Injection (Shellshock) description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition. id MSF:EXPLOIT/MULTI/HTTP/APACHE_MOD_CGI_BASH_ENV_EXEC last seen 2020-06-06 modified 2018-11-16 published 2014-09-25 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb title Apache mod_cgi Bash Environment Variable Code Injection (Shellshock) description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. id MSF:AUXILIARY/SERVER/DHCLIENT_BASH_ENV last seen 2020-06-10 modified 2020-05-12 published 2014-09-26 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/dhclient_bash_env.rb title DHCP Client Bash Environment Variable Code Injection (Shellshock) description This module exploits a shellshock vulnerability on Qmail, a public domain MTA written in C that runs on Unix systems. Due to the lack of validation on the MAIL FROM field, it is possible to execute shell code on a system with a vulnerable BASH (Shellshock). This flaw works on the latest Qmail versions (qmail-1.03 and netqmail-1.06). However, in order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually [email protected]). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed. id MSF:EXPLOIT/UNIX/SMTP/QMAIL_BASH_ENV_EXEC last seen 2020-06-12 modified 2019-08-15 published 2017-05-04 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/smtp/qmail_bash_env_exec.rb title Qmail SMTP Bash Environment Variable Injection (Shellshock) description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Due to length restrictions and the unusual networking scenario at the time of exploitation, this module achieves code execution by writing the payload into /etc/crontab and then cleaning it up after a session is created. id MSF:EXPLOIT/UNIX/DHCP/BASH_ENVIRONMENT last seen 2020-06-10 modified 2019-08-02 published 2014-09-26 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/dhcp/bash_environment.rb title Dhclient Bash Environment Variable Injection (Shellshock) description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the VMWare Fusion application, allowing an unprivileged local user to get root access. id MSF:EXPLOIT/OSX/LOCAL/VMWARE_BASH_FUNCTION_ROOT last seen 2020-06-05 modified 2018-11-04 published 2014-09-24 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/local/vmware_bash_function_root.rb title OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock) description IPFire, a free linux based open source firewall distribution, version <= 2.15 Update Core 82 contains an authenticated remote command execution vulnerability via shellshock in the request headers. id MSF:EXPLOIT/LINUX/HTTP/IPFIRE_BASHBUG_EXEC last seen 2020-05-28 modified 2018-08-27 published 2016-05-30 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/ipfire_bashbug_exec.rb title IPFire Bash Environment Variable Injection (Shellshock) description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the Pure-FTPd FTP server when it has been compiled with the --with-extauth flag and an external Bash script is used for authentication. If the server is not set up this way, the exploit will fail, even if the version of Bash in use is vulnerable. id MSF:EXPLOIT/MULTI/FTP/PUREFTPD_BASH_ENV_EXEC last seen 2020-06-10 modified 2018-10-28 published 2014-10-01 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb title Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock) description This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables. A valid username and password is required to exploit this vulnerability through CUPS. id MSF:EXPLOIT/MULTI/HTTP/CUPS_BASH_ENV_EXEC last seen 2020-06-05 modified 2019-01-10 published 2014-10-19 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/cups_bash_env_exec.rb title CUPS Filter Bash Environment Variable Code Injection (Shellshock)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-559.NASL description bash was updated to fix a critical security issue, a minor security issue and bugs : In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Fixed a temporary file misuse in _rl_tropen (bnc#868822) Even if used only by developers to debug readline library do not open temporary files from public location without O_EXCL (CVE-2014-2524) Additional bugfixes : - Backported corrected german error message for a failing getpwd (bnc#895475) - Add bash upstream patch 47 to fix a problem where the function that shortens pathnames for $PS1 according to the value of $PROMPT_DIRTRIM uses memcpy on potentially-overlapping regions of memory, when it should use memmove. The result is garbled pathnames in prompt strings. - Add bash upstream patch 46 to fix a problem introduced by patch 32 a problem with last seen 2020-06-05 modified 2014-09-25 plugin id 77846 published 2014-09-25 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77846 title openSUSE Security Update : bash (openSUSE-SU-2014:1226-1) (Shellshock) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2014-559. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(77846); script_version("1.17"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-2524", "CVE-2014-6271"); script_xref(name:"IAVA", value:"2014-A-0142"); script_name(english:"openSUSE Security Update : bash (openSUSE-SU-2014:1226-1) (Shellshock)"); script_summary(english:"Check for the openSUSE-2014-559 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "bash was updated to fix a critical security issue, a minor security issue and bugs : In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Fixed a temporary file misuse in _rl_tropen (bnc#868822) Even if used only by developers to debug readline library do not open temporary files from public location without O_EXCL (CVE-2014-2524) Additional bugfixes : - Backported corrected german error message for a failing getpwd (bnc#895475) - Add bash upstream patch 47 to fix a problem where the function that shortens pathnames for $PS1 according to the value of $PROMPT_DIRTRIM uses memcpy on potentially-overlapping regions of memory, when it should use memmove. The result is garbled pathnames in prompt strings. - Add bash upstream patch 46 to fix a problem introduced by patch 32 a problem with '$@' and arrays expanding empty positional parameters or array elements when using substring expansion, pattern substitution, or case modfication. The empty parameters or array elements are removed instead of expanding to empty strings (''). - Add bash-4.2-strcpy.patch from upstream mailing list to patch collection tar ball to avoid when using \w in the prompt and changing the directory outside of HOME the a strcpy work on overlapping memory areas." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=868822" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=895475" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=896776" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2014-09/msg00036.html" ); script_set_attribute(attribute:"solution", value:"Update the affected bash packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-lang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-loadables"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-loadables-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libreadline6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libreadline6-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libreadline6-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:readline-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:readline-devel-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/08/20"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/25"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.3|SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3 / 13.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.3", reference:"bash-4.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"bash-debuginfo-4.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"bash-debugsource-4.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"bash-devel-4.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"bash-lang-4.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"bash-loadables-4.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"bash-loadables-debuginfo-4.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libreadline6-6.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"libreadline6-debuginfo-6.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"readline-devel-6.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"bash-debuginfo-32bit-4.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"libreadline6-32bit-6.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"libreadline6-debuginfo-32bit-6.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE12.3", cpu:"x86_64", reference:"readline-devel-32bit-6.2-61.9.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"bash-4.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"bash-debuginfo-4.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"bash-debugsource-4.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"bash-devel-4.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"bash-lang-4.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"bash-loadables-4.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"bash-loadables-debuginfo-4.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libreadline6-6.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"libreadline6-debuginfo-6.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", reference:"readline-devel-6.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"bash-debuginfo-32bit-4.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libreadline6-32bit-6.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libreadline6-debuginfo-32bit-6.2-68.4.1") ) flag++; if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"readline-devel-32bit-6.2-68.4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bash"); }NASL family MacOS X Local Security Checks NASL id MACOSX_10_10.NASL description The remote host is running a version of Mac OS X is prior to version 10.10. This update contains several security-related fixes for the following components : - 802.1X - AFP File Server - apache - App Sandbox - Bash - Bluetooth - Certificate Trust Policy - CFPreferences - CoreStorage - CUPS - Dock - fdesetup - iCloud Find My Mac - IOAcceleratorFamily - IOHIDFamily - IOKit - Kernel - LaunchServices - LoginWindow - Mail - MCX Desktop Config Profiles - NetFS Client Framework - QuickTime - Safari - Secure Transport - Security - Security - Code Signing Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 78550 published 2014-10-17 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78550 title Mac OS X < 10.10 Multiple Vulnerabilities (POODLE) (Shellshock) NASL family CISCO NASL id CISCO-SA-20140926-BASH-NXOS.NASL description According to its self-reported version, the remote NX-OS device is affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 78693 published 2014-10-27 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78693 title Cisco NX-OS GNU Bash Environment Variable Command Injection Vulnerability (cisco-sa-20140926-bash) (Shellshock) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1354.NASL description An updated rhev-hypervisor6 package that fixes several security issues is now available. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. (CVE-2014-1568) It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. (CVE-2014-7186) An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash. (CVE-2014-7187) Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters of CVE-2014-1568. The CVE-2014-7186 and CVE-2014-7187 issues were discovered by Florian Weimer of Red Hat Product Security. Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package. last seen 2020-04-18 modified 2014-11-08 plugin id 79053 published 2014-11-08 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79053 title RHEL 6 : rhev-hypervisor6 (RHSA-2014:1354) (Shellshock) NASL family Solaris Local Security Checks NASL id SOLARIS10_126546-06.NASL description SunOS 5.10: bash patch. Date this patch was last updated by Oracle : Sep/26/14 last seen 2020-06-01 modified 2020-06-02 plugin id 77913 published 2014-09-26 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77913 title Solaris 10 (sparc) : 126546-06 NASL family SMTP problems NASL id SHELLSHOCK_POSTFIX_FILTERS.NASL description The remote host appears to be running Postfix. Postfix itself is not vulnerable to Shellshock; however, any bash script Postfix runs for filtering or other tasks could potentially be affected if the script exports an environmental variable from the content or headers of a message. A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that any scripts Postfix may be running do not create the conditions that are exploitable via the Shellshock flaw. last seen 2020-06-01 modified 2020-06-02 plugin id 77969 published 2014-09-29 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77969 title Postfix Script Remote Command Execution via Shellshock NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201409-10.NASL description The remote host is affected by the vulnerability described in GLSA-201409-10 (Bash: Code Injection (Updated fix for GLSA 201409-09)) Stephane Chazelas reported that Bash incorrectly handles function definitions, allowing attackers to inject arbitrary code (CVE-2014-6271). Gentoo Linux informed about this issue in GLSA 201409-09. Tavis Ormandy reported that the patch for CVE-2014-6271 was incomplete. As such, this GLSA supersedes GLSA 201409-09. Impact : A remote attacker could exploit this vulnerability to execute arbitrary commands even in restricted environments. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 77886 published 2014-09-26 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77886 title GLSA-201409-10 : Bash: Code Injection (Updated fix for GLSA 201409-09) NASL family CGI abuses NASL id BASH_CVE_2014_6271_RCE.NASL description The remote web server is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-04-30 modified 2014-09-24 plugin id 77829 published 2014-09-24 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77829 title GNU Bash Environment Variable Handling Code Injection (Shellshock) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2014-267-01.NASL description New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. last seen 2020-04-18 modified 2014-09-25 plugin id 77832 published 2014-09-25 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77832 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : bash (SSA:2014-267-01) (Shellshock) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2362-1.NASL description Stephane Chazelas discovered that Bash incorrectly handled trailing code in function definitions. An attacker could use this issue to bypass environment restrictions, such as SSH forced command environments. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-18 modified 2014-09-25 plugin id 77854 published 2014-09-25 reporter Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77854 title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : bash vulnerability (USN-2362-1) (Shellshock) NASL family CISCO NASL id CISCO_CUPS_CSCUR05454.NASL description According to its self-reported version, the CUCM IM and Presence Service installed on the remote host contains a version of GNU Bash that is affected by a command injection vulnerability known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 79124 published 2014-11-11 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79124 title CUCM IM and Presence Service GNU Bash Environment Variable Handling Command Injection (CSCur05454) (Shellshock) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-190.NASL description It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169, CVE-2014-7186, CVE-2014-7187). Additionally bash has been updated from patch level 37 to 48 using the upstream patches at ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/ which resolves various bugs. last seen 2020-06-01 modified 2020-06-02 plugin id 77950 published 2014-09-29 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77950 title Mandriva Linux Security Advisory : bash (MDVSA-2014:190) NASL family Misc. NASL id MCAFEE_WEB_GATEWAY_SB10085.NASL description The remote host has a version of McAfee Web Gateway (MWG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 79215 published 2014-11-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79215 title McAfee Web Gateway GNU Bash Code Injection (SB10085) (Shellshock) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-1293.NASL description Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-04-18 modified 2014-09-25 plugin id 77835 published 2014-09-25 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77835 title CentOS 5 / 6 / 7 : bash (CESA-2014:1293) (Shellshock) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-564.NASL description The command-line shell last seen 2020-06-05 modified 2014-09-29 plugin id 77967 published 2014-09-29 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77967 title openSUSE Security Update : bash (openSUSE-SU-2014:1242-1) (Shellshock) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-419.NASL description GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and this bulletin is a follow-up to ALAS-2014-418. It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash. Special notes : Because of the exceptional nature of this security event, we have backfilled our 2014.03, 2013.09, and 2013.03 Amazon Linux AMI repositories with new bash packages that also fix both CVE-2014-7169 and CVE-2014-6271 . For 2014.09 Amazon Linux AMIs, last seen 2020-06-01 modified 2020-06-02 plugin id 78362 published 2014-10-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78362 title Amazon Linux AMI : bash (ALAS-2014-419) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1311.NASL description [Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update. No changes have been made to the original packages. Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use last seen 2020-06-01 modified 2020-06-02 plugin id 79052 published 2014-11-08 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79052 title RHEL 4 / 5 / 6 : bash (RHSA-2014:1311) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_81E2B3084A6C11E4B7116805CA0B3D42.NASL description Best Practical reports : RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as last seen 2020-04-18 modified 2014-10-03 plugin id 78039 published 2014-10-03 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78039 title FreeBSD : rt42 -- vulnerabilities related to shellshock (81e2b308-4a6c-11e4-b711-6805ca0b3d42) NASL family FTP NASL id PROFTPD_BASH_INJECTION.NASL description The remote FTP server is affected by a remote code execution vulnerability due to an error in the Bash shell running on the remote host. A remote, unauthenticated attacker can execute arbitrary code on the remote host by sending a specially crafted request via the USER FTP command. The last seen 2020-06-01 modified 2020-06-02 plugin id 77986 published 2014-09-30 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77986 title GNU Bash Environment Variable Handling Code Injection via ProFTPD (Shellshock) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-1306.NASL description Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use last seen 2020-06-01 modified 2020-06-02 plugin id 77879 published 2014-09-26 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77879 title CentOS 5 / 6 / 7 : bash (CESA-2014:1306) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1293.NASL description Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-04-18 modified 2014-09-25 plugin id 77828 published 2014-09-25 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77828 title RHEL 5 / 6 / 7 : bash (RHSA-2014:1293) (Shellshock) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-567.NASL description This patch was withdrawn by the openSUSE team, as the software was fixed prior to release. No replacement patches/plugins exist. bash was updated to fix command injection via environment variables. (CVE-2014-6271,CVE-2014-7169) Also a hardening patch was applied that only imports functions over BASH_FUNC_ prefixed environment variables. Also fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE documents and for loop issue last seen 2019-02-21 modified 2019-02-12 plugin id 78115 published 2014-10-10 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=78115 title openSUSE Security Update : bash (openSUSE-SU-2014:1254-1) (deprecated) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-186.NASL description A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-6271). last seen 2020-06-01 modified 2020-06-02 plugin id 77843 published 2014-09-25 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77843 title Mandriva Linux Security Advisory : bash (MDVSA-2014:186) NASL family MacOS X Local Security Checks NASL id MACOSX_SHELLSHOCK_UPDATE.NASL description The remote Mac OS X host has a version of Bash prior to 3.2.53(1)-release installed. It is, therefore, affected by a command injection vulnerability via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 77971 published 2014-09-30 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77971 title GNU Bash Local Environment Variable Handling Command Injection (Mac OS X) (Shellshock) NASL family Misc. NASL id IBM_STORWIZE_1_5_0_4.NASL description The remote IBM Storwize V7000 Unified device is running version 1.3.x prior to 1.4.3.5 or 1.5.x prior to 1.5.0.4. It is, therefore, affected by the following vulnerabilities : - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271) - An out-of-bounds memory access error exists in GNU Bash in file parse.y due to evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this, via a crafted last seen 2020-06-01 modified 2020-06-02 plugin id 85630 published 2015-08-25 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85630 title IBM Storwize V7000 Unified 1.3.x < 1.4.3.5 / 1.5.x < 1.5.0.4 Multiple Vulnerabilities (Shellshock) NASL family Solaris Local Security Checks NASL id SOLARIS11_BASH_2014_10_07.NASL description The remote Solaris system is missing necessary patches to address critical security updates related to last seen 2020-06-01 modified 2020-06-02 plugin id 78395 published 2014-10-13 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78395 title Oracle third party patch update : bash_2014_10_07 NASL family CGI abuses NASL id CISCO-SA-CSCUR01959-PRSM.NASL description According to its self-reported version number, the version of Cisco Prime Security Manager installed on the remote host is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 78828 published 2014-11-03 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78828 title Cisco Prime Security Manager GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock) NASL family CGI abuses NASL id BASH_CVE_2014_6278.NASL description The remote web server is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. last seen 2020-06-01 modified 2020-06-02 plugin id 82581 published 2015-04-06 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82581 title GNU Bash Incomplete Fix Remote Code Injection (Shellshock) NASL family Fedora Local Security Checks NASL id FEDORA_2014-11503.NASL description Disclosure - http://www.openwall.com/lists/oss-security/2014/09/24/10 Behaviour prior to patch : $ env x= last seen 2020-03-17 modified 2014-09-26 plugin id 77876 published 2014-09-26 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77876 title Fedora 19 : bash-4.2.47-2.fc19 (2014-11503) NASL family Gain a shell remotely NASL id BASH_REMOTE_CODE_EXECUTION.NASL description The remote host is running a version of Bash that is vulnerable to command injection via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 77823 published 2014-09-24 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77823 title Bash Remote Code Execution (Shellshock) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-595.NASL description - Replace patches bash-4.2-heredoc-eof-delim.patch and bash-4.2-parse-exportfunc.patch with the official upstream patch levels bash42-052 and bash42-053 - Replace patch bash-4.2-CVE-2014-7187.patch with upstream patch level bash42-051 - Add patches bash-4.2-heredoc-eof-delim.patch for bsc#898812, CVE-2014-6277: more troubles with functions bash-4.2-parse-exportfunc.patch for bsc#898884, CVE-2014-6278: code execution after original 6271 fix - Make bash-4.2-extra-import-func.patch an optional patch due instruction - Remove and replace patches bash-4.2-CVE-2014-6271.patch bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch with bash upstream patch 48, patch 49, and patch 50 - Add patch bash-4.2-extra-import-func.patch which is based on the BSD patch of Christos. As further enhancements the option import-functions is mentioned in the manual page and a shopt switch is added to enable and disable import-functions on the fly last seen 2020-06-05 modified 2014-10-21 plugin id 78591 published 2014-10-21 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78591 title openSUSE Security Update : bash (openSUSE-SU-2014:1310-1) (Shellshock) NASL family Junos Local Security Checks NASL id JUNIPER_SPACE_JSA10648.NASL description According to its self-reported version number, the remote Junos Space version is prior to 14.1R2, and may be affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 80196 published 2014-12-22 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80196 title Juniper Junos Space GNU Bash Command Injection Vulnerability (JSA10648) (Shellshock) NASL family Misc. NASL id VMWARE_VMSA-2014-0010_REMOTE.NASL description The remote VMware ESX host is affected by multiple vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278) - A out-of-bounds read error exists in the redirection implementation in file parse.y when evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this to cause a denial of service or possibly have other unspecified impact. (CVE-2014-7186) - An off-by-one overflow condition exists in the read_token_word() function in file parse.y when handling deeply nested flow control structures. A remote attacker can exploit this, by using deeply nested for-loops, to cause a denial of service or possibly execute arbitrary code. (CVE-2014-7187) last seen 2020-06-01 modified 2020-06-02 plugin id 87680 published 2015-12-30 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/87680 title VMware ESX Multiple Bash Vulnerabilities (VMSA-2014-0010) (Shellshock) NASL family CISCO NASL id CISCO_TELEPRESENCE_VCS_CSCUR01461.NASL description According to its self-reported version number, the version of Cisco TelePresence Video Communication Server is affected by a command injection vulnerability known as Shellshock in its included GNU Bash shell. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. The API over HTTP(S) and/or SSH can therefore be exploited. An attacker must be authenticated before the system is exposed to this exploit. last seen 2020-06-01 modified 2020-06-02 plugin id 78596 published 2014-10-21 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78596 title Cisco TelePresence Video Communication Server Bash Remote Code Execution (Shellshock) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2014-0010.NASL description a. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 to these issues. VMware products have been grouped into the following four product categories : I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. For several products, both a patch and a product update are available. In general, if a patch is made available, the patch must be applied to the latest version of the appliance. Customers should refer to the specific product Knowledge Base articles listed in Section 4 to understand the type of remediation available and applicable appliance version numbers. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor ================================= last seen 2020-06-01 modified 2020-06-02 plugin id 78025 published 2014-10-02 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78025 title VMSA-2014-0010 : VMware product updates address critical Bash security vulnerabilities (Shellshock) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3032.NASL description Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell. last seen 2020-03-17 modified 2014-09-25 plugin id 77825 published 2014-09-25 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77825 title Debian DSA-3032-1 : bash - security update NASL family Fedora Local Security Checks NASL id FEDORA_2014-11514.NASL description This build should fix CVE-2014-7169 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-09-29 plugin id 77939 published 2014-09-29 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77939 title Fedora 19 : bash-4.2.48-2.fc19 (2014-11514) (Shellshock) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3035.NASL description Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169 ). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure. Additionally two out-of-bounds array accesses in the bash parser are fixed which were revealed in Red Hat last seen 2020-03-17 modified 2014-09-26 plugin id 77882 published 2014-09-26 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77882 title Debian DSA-3035-1 : bash - security update NASL family Debian Local Security Checks NASL id DEBIAN_DLA-63.NASL description Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure. Additionally two out-of-bounds array accesses in the bash parser are fixed which were revealed in Red Hat last seen 2020-03-17 modified 2015-03-26 plugin id 82208 published 2015-03-26 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82208 title Debian DLA-63-1 : bash security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201409-09.NASL description The remote host is affected by the vulnerability described in GLSA-201409-09 (Bash: Code Injection) Stephane Chazelas reported that Bash incorrectly handles function definitions, allowing attackers to inject arbitrary code. Impact : A remote attacker could exploit this vulnerability to execute arbitrary commands even in restricted environments. Workaround : There is no known workaround at this time. last seen 2020-04-18 modified 2014-10-06 plugin id 78059 published 2014-10-06 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78059 title GLSA-201409-09 : Bash: Code Injection (Shellshock) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_126547.NASL description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Bash). The supported version that is affected is 10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data. This plugin has been deprecated and either replaced with individual 126547 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 62115 published 2012-09-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=62115 title Solaris 10 (x86) : 126547-10 (deprecated) NASL family Solaris Local Security Checks NASL id SOLARIS10_126546.NASL description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Bash). The supported version that is affected is 10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data. This plugin has been deprecated and either replaced with individual 126546 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 62305 published 2012-09-26 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=62305 title Solaris 10 (sparc) : 126546-10 (deprecated) NASL family SMTP problems NASL id SHELLSHOCK_MAIL_AGENTS.NASL description The remote host appears to be running a mail transfer or mail delivery agent such as Courier, Exim, Postfix, or Procmail. Many of these agents can be configured to run utility scripts for a diverse number of tasks including filtering, sorting, and delivering mail. These scripts may create the conditions that are exploitable, making the agent vulnerable to remote code execution via Shellshock. A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that the mail agent running on the system is not configured in such a way to allow remote execution via Shellshock. last seen 2020-06-01 modified 2020-06-02 plugin id 78701 published 2014-10-28 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78701 title Mail Transfer Agent and Mail Delivery Agent Remote Command Execution via Shellshock NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-164.NASL description Updated bash packages fix security vulnerability : A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-6271). This vulnerability can be exposed and exploited through several other pieces of software and should be considered highly critical. Please refer to the RedHat Knowledge Base article and blog post for more information. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169). Bash has been updated to version 4.2 patch level 50, which further mitigates ShellShock-type vulnerabilities. Two such issues have already been discovered (CVE-2014-6277, CVE-2014-6278). See the RedHat article on the backward-incompatible changes introduced by the latest patch, caused by adding prefixes and suffixes to the variable names used for exporting functions. Note that the RedHat article mentions these variable names will have parentheses last seen 2020-06-01 modified 2020-06-02 plugin id 82417 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82417 title Mandriva Linux Security Advisory : bash (MDVSA-2015:164) NASL family Fedora Local Security Checks NASL id FEDORA_2014-11360.NASL description Disclosure - http://www.openwall.com/lists/oss-security/2014/09/24/10 Behaviour prior to patch : $ env x= last seen 2020-03-17 modified 2014-09-26 plugin id 77874 published 2014-09-26 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77874 title Fedora 20 : bash-4.2.47-4.fc20 (2014-11360) NASL family Fedora Local Security Checks NASL id FEDORA_2014-11527.NASL description This build should fix CVE-2014-7169 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-09-29 plugin id 77941 published 2014-09-29 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77941 title Fedora 20 : bash-4.2.48-2.fc20 (2014-11527) (Shellshock) NASL family Windows NASL id VMWARE_VCENTER_CONVERTER_2014-0010.NASL description The version of VMware vCenter Converter installed on the remote Windows host is 5.1.x prior to 5.1.2 or 5.5.x prior to 5.5.3. It is, therefore, affected by the following vulnerabilities : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. While this host is not directly impacted by Shellshock, the standalone Converter application does deploy a Helper VM during Linux P2V conversions. This Helper VM contains a vulnerable version of Bash. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) - A memory double-free error exists in last seen 2020-06-01 modified 2020-06-02 plugin id 79147 published 2014-11-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79147 title VMware vCenter Converter 5.1.x < 5.1.2 / 5.5.x < 5.5.3 Multiple Vulnerabilities (VMSA-2014-0010) (Shellshock) NASL family SuSE Local Security Checks NASL id SUSE_11_BASH-140919.NASL description bash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) last seen 2020-06-05 modified 2014-09-25 plugin id 77850 published 2014-09-25 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77850 title SuSE 11.3 Security Update : bash (SAT Patch Number 9740) NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_149080.NASL description SunOS 5.9_x86: bash patch. Date this patch was last updated by Sun : Sep/30/14 last seen 2020-06-01 modified 2020-06-02 plugin id 78113 published 2014-10-09 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78113 title Solaris 9 (x86) : 149080-02 NASL family SMTP problems NASL id SHELLSHOCK_QMAIL.NASL description The remote host appears to be running Qmail. A remote attacker can exploit Qmail to execute commands via a specially crafted MAIL FROM header if the remote host has a vulnerable version of Bash. This is due to the fact that Qmail does not properly sanitize input before setting environmental variables. A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that Qmail could not be used to exploit the Shellshock flaw. last seen 2020-06-01 modified 2020-06-02 plugin id 77970 published 2014-09-29 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77970 title Qmail Remote Command Execution via Shellshock NASL family CISCO NASL id CISCO_UCS_DIRECTOR_CSCUR02877.NASL description According to its self-reported version, the remote host is running a version of Cisco UCS Director that could be affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. Authentication on the system is required before this vulnerability can be exploited. last seen 2020-06-01 modified 2020-06-02 plugin id 78770 published 2014-10-31 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78770 title Cisco UCS Director Code Injection (CSCur02877) (Shellshock) NASL family Firewalls NASL id CHECK_POINT_GAIA_SK102673.NASL description The remote host is running a version of Gaia OS which is affected by issues related to the SHELLSHOCK set of vulnerabilities in bash. An error in the bash functionality that evaluates specially formatted environment variables passed to it from another environment, which may result in remote code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 104997 published 2017-12-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104997 title Check Point Gaia Operating Bash Code Injection (sk102673)(SHELLSHOCK) NASL family Misc. NASL id MCAFEE_EMAIL_GATEWAY_SB10085.NASL description The remote host has a version of McAfee Email Gateway (MEG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 79123 published 2014-11-11 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79123 title McAfee Email Gateway GNU Bash Code Injection (SB10085) (Shellshock) NASL family Solaris Local Security Checks NASL id SOLARIS11_BASH_20141031_2.NASL description The remote Solaris system is missing necessary patches to address security updates : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka last seen 2020-06-01 modified 2020-06-02 plugin id 88514 published 2016-02-02 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88514 title Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash1) (Shellshock) NASL family General NASL id SHELLSHOCK_SIP_INVITE.NASL description The remote host appears to be running SIP. SIP itself is not vulnerable to Shellshock; however, any Bash script that SIP runs for filtering or other routing tasks could potentially be affected if the script exports an environmental variable from the content or headers of a SIP message. A negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that any scripts the SIP proxy may be running do not create the conditions that are exploitable via the Shellshock flaw. last seen 2020-06-01 modified 2020-06-02 plugin id 78822 published 2014-11-03 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78822 title SIP Script Remote Command Execution via Shellshock NASL family Misc. NASL id VCENTER_OPERATIONS_MANAGER_VMSA_2014-0010.NASL description The version of VMware vCenter Operations Manager installed on the remote host is prior to 5.7.3 / 5.8.3. It is, therefore, affected by the environmental variable command injection vulnerability known as last seen 2020-06-01 modified 2020-06-02 plugin id 78889 published 2014-11-06 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78889 title VMware vCenter Operations Management Bash Vulnerabilities (VMSA-2014-0010) (Shellshock) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-1306.NASL description From Red Hat Security Advisory 2014:1306 : [Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update. No changes have been made to the original packages. Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use last seen 2020-06-01 modified 2020-06-02 plugin id 77951 published 2014-09-29 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77951 title Oracle Linux 5 / 6 / 7 : bash (ELSA-2014-1306) NASL family Solaris Local Security Checks NASL id SOLARIS9_149079-01.NASL description SunOS 5.9: bash patch. Date this patch was last updated by Oracle : Sep/26/14 last seen 2019-02-12 modified 2019-02-12 plugin id 77911 published 2014-09-26 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=77911 title Solaris 9 (sparc) : 149079-01 NASL family Solaris Local Security Checks NASL id SOLARIS9_149079.NASL description SunOS 5.9: bash patch. Date this patch was last updated by Sun : Sep/30/14 last seen 2020-06-01 modified 2020-06-02 plugin id 78112 published 2014-10-09 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78112 title Solaris 9 (sparc) : 149079-03 NASL family Palo Alto Local Security Checks NASL id PALO_ALTO_PAN-SA-2014-0004.NASL description The remote host is running a version of Palo Alto Networks PAN-OS prior to 5.0.15 / 5.1.10 / 6.0.6 / 6.1.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 78587 published 2014-10-20 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78587 title Palo Alto Networks PAN-OS < 5.0.15 / 5.1.x < 5.1.10 / 6.0.x < 6.0.6 / 6.1.x < 6.1.1 Bash Shell Remote Code Execution (Shellshock) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-1293.NASL description From Red Hat Security Advisory 2014:1293 : Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-04-18 modified 2014-09-25 plugin id 77848 published 2014-09-25 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77848 title Oracle Linux 5 / 6 / 7 : bash (ELSA-2014-1293) (Shellshock) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-563.NASL description The command-line shell last seen 2020-06-05 modified 2014-09-29 plugin id 77966 published 2014-09-29 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77966 title openSUSE Security Update : bash (openSUSE-SU-2014:1229-1) (Shellshock) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL15629.NASL description GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. last seen 2020-06-01 modified 2020-06-02 plugin id 78197 published 2014-10-10 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78197 title F5 Networks BIG-IP : Multiple GNU Bash vulnerabilities (SOL15629) (Shellshock) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_71AD81DA441411E4A33E3C970E169BC2.NASL description Chet Ramey reports : Under certain circumstances, bash will execute user code while processing the environment for exported function definitions. The original fix released for CVE-2014-6271 was not adequate. A similar vulnerability was discovered and tagged as CVE-2014-7169. last seen 2020-04-18 modified 2014-09-25 plugin id 77836 published 2014-09-25 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77836 title FreeBSD : bash -- remote code execution vulnerability (71ad81da-4414-11e4-a33e-3c970e169bc2) (Shellshock) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1306.NASL description [Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update. No changes have been made to the original packages. Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use last seen 2020-06-01 modified 2020-06-02 plugin id 77895 published 2014-09-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77895 title RHEL 5 / 6 / 7 : bash (RHSA-2014:1306) NASL family Misc. NASL id VMWARE_NSX_VMSA_2014_0010.NASL description The version of VMware NSX installed on the remote host is 4.x prior to 4.0.5 / 4.1.4 / 4.2.1 or 6.x prior to 6.0.7 / 6.1.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 78826 published 2014-11-03 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78826 title VMware NSX Bash Environment Variable Command Injection (VMSA-2014-0010) (Shellshock) NASL family Misc. NASL id VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2014-0010.NASL description The version of VMware vCenter Server Appliance installed on the remote host is 5.0 prior to Update 3b, 5.1 prior to Update 2b, or 5.5 prior to Update 2a. It therefore contains a version of bash that is affected by a command injection vulnerability via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 78508 published 2014-10-16 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78508 title VMware vCenter Server Appliance Bash Remote Code Execution (VMSA-2014-0010) (Shellshock) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1294.NASL description Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-04-18 modified 2014-11-08 plugin id 79051 published 2014-11-08 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79051 title RHEL 4 / 5 / 6 : bash (RHSA-2014:1294) (Shellshock) NASL family SuSE Local Security Checks NASL id SUSE_11_BASH-140926.NASL description The command-line shell last seen 2020-06-05 modified 2014-09-29 plugin id 77958 published 2014-09-29 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77958 title SuSE 11.3 Security Update : bash (SAT Patch Number 9780) NASL family CISCO NASL id CISCO_TELEPRESENCE_CONDUCTOR_CSCUR02103.NASL description According to its self-reported version number, remote Cisco TelePresence Conductor device is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. Note that an attacker must be authenticated before the device is exposed to this exploit. last seen 2020-06-01 modified 2020-06-02 plugin id 79584 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79584 title Cisco TelePresence Conductor Bash Remote Code Execution (Shellshock) NASL family Scientific Linux Local Security Checks NASL id SL_20140924_BASH_ON_SL5_X.NASL description A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to https://securityblog.redhat.com/2014/09/24/bash-specially crafted-environment-variables-code-injection-attack/ last seen 2020-03-18 modified 2014-09-26 plugin id 77865 published 2014-09-26 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77865 title Scientific Linux Security Update : bash on SL5.x, SL6.x i386/x86_64 (20140924) (Shellshock) NASL family Fedora Local Security Checks NASL id FEDORA_2014-11295.NASL description Disclosure - http://www.openwall.com/lists/oss-security/2014/09/24/10 Behaviour prior to patch : $ env x= last seen 2020-03-17 modified 2014-09-29 plugin id 77935 published 2014-09-29 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77935 title Fedora 21 : bash-4.3.22-3.fc21 (2014-11295) (Shellshock) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-1294.NASL description From Red Hat Security Advisory 2014:1294 : Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) For additional information on the CVE-2014-6271 flaw, refer to the Knowledgebase article at https://access.redhat.com/articles/1200223 Red Hat would like to thank Stephane Chazelas for reporting this issue. All bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-04-18 modified 2014-09-25 plugin id 77849 published 2014-09-25 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77849 title Oracle Linux 4 : bash (ELSA-2014-1294) (Shellshock) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1418.NASL description According to the versions of the bash package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.(CVE-2014-7169) - A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session.(CVE-2016-9401) - It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code.(CVE-2014-7186) - An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.(CVE-2014-7187) - A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.(CVE-2014-6271) - An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances.(CVE-2016-7543) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-16 modified 2019-05-14 plugin id 124921 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124921 title EulerOS Virtualization 3.0.1.0 : bash (EulerOS-SA-2019-1418) NASL family Fedora Local Security Checks NASL id FEDORA_2014-11718.NASL description Fix for CVE-2014-7169 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-09-29 plugin id 77945 published 2014-09-29 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77945 title Fedora 21 : bash-4.3.25-2.fc21 (2014-11718) (Shellshock) NASL family CISCO NASL id CISCO-SA-CSCUR01959-ASA-CX.NASL description The remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 78827 published 2014-11-03 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78827 title Cisco ASA Next-Generation Firewall GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock) NASL family Misc. NASL id VMWARE_VSPHERE_REPLICATION_VMSA_2014_0010.NASL description The VMware vSphere Replication installed on the remote host is version 5.1.x prior to 5.1.2.2, 5.5.x prior to 5.5.1.3, 5.6.x prior to 5.6.0.2, or 5.8.x prior to 5.8.0.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system last seen 2020-06-01 modified 2020-06-02 plugin id 78771 published 2014-10-31 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78771 title VMware vSphere Replication Bash Environment Variable Command Injection Vulnerability (VMSA-2014-0010) (Shellshock) NASL family Misc. NASL id MCAFEE_NGFW_SB10085.NASL description The remote host has a version of McAfee Next Generation Firewall (NGFW) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. last seen 2020-06-01 modified 2020-06-02 plugin id 79234 published 2014-11-13 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79234 title McAfee Next Generation Firewall GNU Bash Code Injection (SB10085) (Shellshock) NASL family Misc. NASL id VMWARE_WORKSPACE_PORTAL_VMSA2014-0010.NASL description The version of VMware Workspace Portal (formerly known as VMware Horizon Workspace) installed on the remote host is missing package updates. It is, therefore, affected by the following vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. By sending a specially crafted request to a CGI script that passes environment variables, a remote, unauthenticated attacker can execute arbitrary code on the host. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169) - An out-of-bounds memory access error exists due to improper redirection implementation in the last seen 2020-06-01 modified 2020-06-02 plugin id 78857 published 2014-11-04 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78857 title VMware Workspace Portal Multiple Bash Shell Vulnerabilities (VMSA-2014-0010) (Shellshock) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-594.NASL description - Replace patches bash-4.2-heredoc-eof-delim.patch and bash-4.2-parse-exportfunc.patch with the official upstream patch levels bash42-052 and bash42-053 - Replace patch bash-4.2-CVE-2014-7187.patch with upstream patch level bash42-051 - Make bash-4.2-extra-import-func.patch an optional patch due instruction - Remove and replace patches bash-4.2-CVE-2014-6271.patch bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch with bash upstream patch 48, patch 49, and patch 50 - Add patch bash-4.2-extra-import-func.patch which is based on the BSD patch of Christos. As further enhancements the option import-functions is mentioned in the manual page and a shopt switch is added to enable and disable import-functions on the fly last seen 2020-06-05 modified 2014-10-21 plugin id 78590 published 2014-10-21 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78590 title openSUSE Security Update : bash (openSUSE-SU-2014:1308-1) (Shellshock) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2014-005.NASL description The remote host is running a version of Mac OS X 10.8 or 10.9 that does not have Security Update 2014-005 applied. This update contains several security-related fixes for the following issues : - A command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271, CVE-2014-7169) - A man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 78551 published 2014-10-17 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78551 title Mac OS X Multiple Vulnerabilities (Security Update 2014-005) (POODLE) (Shellshock) NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_149080-01.NASL description SunOS 5.9_x86: bash patch. Date this patch was last updated by Oracle : Sep/26/14 last seen 2019-02-12 modified 2019-02-12 plugin id 77912 published 2014-09-26 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=77912 title Solaris 9 (x86) : 149080-01 NASL family Solaris Local Security Checks NASL id SOLARIS11_BASH_20141031.NASL description The remote Solaris system is missing necessary patches to address security updates : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka last seen 2020-06-01 modified 2020-06-02 plugin id 80590 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80590 title Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash) (Shellshock) NASL family Scientific Linux Local Security Checks NASL id SL_20140926_BASH_ON_SL5_X.NASL description It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note: Docker users are advised to use last seen 2020-03-18 modified 2014-09-29 plugin id 77956 published 2014-09-29 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77956 title Scientific Linux Security Update : bash on SL5.x, SL6.x i386/x86_64 (20140926) (Shellshock) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-418.NASL description This ALAS is superceded by ALAS-2014-419. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. We last seen 2020-04-18 modified 2014-10-12 plugin id 78361 published 2014-10-12 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78361 title Amazon Linux AMI : bash (ALAS-2014-418) (Shellshock)
Packetstorm
data source https://packetstormsecurity.com/files/download/128418/bashedCgi.rb.txt id PACKETSTORM:128418 last seen 2016-12-05 published 2014-09-25 reporter Shaun Colley source https://packetstormsecurity.com/files/128418/bashedCgi-Remote-Command-Execution.html title bashedCgi Remote Command Execution data source https://packetstormsecurity.com/files/download/133070/cisco-lfiexec.txt id PACKETSTORM:133070 last seen 2016-12-05 published 2015-08-13 reporter Bernhard Mueller source https://packetstormsecurity.com/files/133070/Cisco-Unified-Communications-Manager-Command-Execution.html title Cisco Unified Communications Manager Command Execution data source https://packetstormsecurity.com/files/download/128443/morxbash.pl.txt id PACKETSTORM:128443 last seen 2016-12-05 published 2014-09-26 reporter Simo Ben Youssef source https://packetstormsecurity.com/files/128443/Gnu-Bash-4.3-CGI-REFERER-Command-Injection.html title Gnu Bash 4.3 CGI REFERER Command Injection data source https://packetstormsecurity.com/files/download/131073/qnapws-exec.rb.txt id PACKETSTORM:131073 last seen 2016-12-05 published 2015-03-27 reporter Patrick Pellegrino source https://packetstormsecurity.com/files/131073/QNAP-Web-Server-Remote-Code-Execution.html title QNAP Web Server Remote Code Execution data source https://packetstormsecurity.com/files/download/128394/bash-poc.txt id PACKETSTORM:128394 last seen 2016-12-05 published 2014-09-25 reporter Prakhar Prasad source https://packetstormsecurity.com/files/128394/Bash-Code-Injection-Proof-Of-Concept.html title Bash Code Injection Proof Of Concept data source https://packetstormsecurity.com/files/download/128650/dnsbash-exec.txt id PACKETSTORM:128650 last seen 2016-12-05 published 2014-10-13 reporter Dirk-Willem van Gulik source https://packetstormsecurity.com/files/128650/DNS-Reverse-Lookup-Shellshock.html title DNS Reverse Lookup Shellshock data source https://packetstormsecurity.com/files/download/149467/staublijacquard-shellshock.txt id PACKETSTORM:149467 last seen 2018-09-22 published 2018-09-21 reporter t4rkd3vilz source https://packetstormsecurity.com/files/149467/Staubli-Jacquard-Industrial-System-JC6-Shellshock.html title Staubli Jacquard Industrial System JC6 Shellshock data source https://packetstormsecurity.com/files/download/139304/trendmicro_IWSVA_shellshock.py.txt id PACKETSTORM:139304 last seen 2016-12-05 published 2016-10-22 reporter Hacker Fantastic source https://packetstormsecurity.com/files/139304/TrendMicro-InterScan-Web-Security-Virtual-Appliance-Shellshock.html title TrendMicro InterScan Web Security Virtual Appliance Shellshock data source https://packetstormsecurity.com/files/download/128482/ipfire_cgi_shellshock.py.txt id PACKETSTORM:128482 last seen 2016-12-05 published 2014-09-30 reporter Claudio Viviani source https://packetstormsecurity.com/files/128482/IPFire-2.15-Bash-Command-Injection.html title IPFire 2.15 Bash Command Injection data source https://packetstormsecurity.com/files/download/128444/dhclient_bash_env.rb.txt id PACKETSTORM:128444 last seen 2016-12-05 published 2014-09-26 reporter Ramon de C Valle source https://packetstormsecurity.com/files/128444/DHCP-Client-Bash-Environment-Variable-Code-Injection.html title DHCP Client Bash Environment Variable Code Injection data source https://packetstormsecurity.com/files/download/140205/rsshellshock.py.txt id PACKETSTORM:140205 last seen 2016-12-20 published 2016-12-19 reporter Hacker Fantastic source https://packetstormsecurity.com/files/140205/RSSMON-BEAM-Red-Star-OS-3.0-Shellshock.html title RSSMON / BEAM (Red Star OS 3.0) Shellshock data source https://packetstormsecurity.com/files/download/144424/qmail_bash_env_exec.rb.txt id PACKETSTORM:144424 last seen 2017-09-30 published 2017-09-29 reporter Kyle George source https://packetstormsecurity.com/files/144424/Qmail-SMTP-Bash-Environment-Variable-Injection-Shellshock.html title Qmail SMTP Bash Environment Variable Injection (Shellshock) data source https://packetstormsecurity.com/files/download/128460/bash_environment.rb.txt id PACKETSTORM:128460 last seen 2016-12-05 published 2014-09-27 reporter egypt source https://packetstormsecurity.com/files/128460/Dhclient-Bash-Environment-Variable-Injection.html title Dhclient Bash Environment Variable Injection data source https://packetstormsecurity.com/files/download/128522/pureftpd_bash_env_exec.rb.txt id PACKETSTORM:128522 last seen 2016-12-05 published 2014-10-02 reporter Frank Denis source https://packetstormsecurity.com/files/128522/Pure-FTPd-External-Authentication-Bash-Environment-Variable-Code-Injection.html title Pure-FTPd External Authentication Bash Environment Variable Code Injection data source https://packetstormsecurity.com/files/download/128395/bash-exec.txt id PACKETSTORM:128395 last seen 2016-12-05 published 2014-09-25 reporter Florian Weimer source https://packetstormsecurity.com/files/128395/Bash-Environment-Variable-Command-Execution.html title Bash Environment Variable Command Execution data source https://packetstormsecurity.com/files/download/128425/vmware_bash_function_root.rb.txt id PACKETSTORM:128425 last seen 2016-12-05 published 2014-09-25 reporter mubix source https://packetstormsecurity.com/files/128425/Mac-OS-X-VMWare-Fusion-Root-Privilege-Escalation.html title Mac OS X VMWare Fusion Root Privilege Escalation data source https://packetstormsecurity.com/files/download/128573/apachemodcgi-shellshock.txt id PACKETSTORM:128573 last seen 2016-12-05 published 2014-10-06 reporter Federico Galatolo source https://packetstormsecurity.com/files/128573/Apache-mod_cgi-Remote-Command-Execution.html title Apache mod_cgi Remote Command Execution data source https://packetstormsecurity.com/files/download/128520/bash-me-some-more.txt id PACKETSTORM:128520 last seen 2016-12-05 published 2014-10-01 reporter Michal Zalewski source https://packetstormsecurity.com/files/128520/Bash-Me-Some-More.html title Bash Me Some More data source https://packetstormsecurity.com/files/download/128481/checkCVE20146271.py.txt id PACKETSTORM:128481 last seen 2016-12-05 published 2014-09-29 reporter Juan Sacco source https://packetstormsecurity.com/files/128481/GNU-Bash-4.3-Command-Injection.html title GNU Bash 4.3 Command Injection data source https://packetstormsecurity.com/files/download/128878/cups_bash_env_exec.rb.txt id PACKETSTORM:128878 last seen 2016-12-05 published 2014-10-28 reporter Michal Zalewski source https://packetstormsecurity.com/files/128878/CUPS-Filter-Bash-Environment-Variable-Code-Injection.html title CUPS Filter Bash Environment Variable Code Injection data source https://packetstormsecurity.com/files/download/129260/php-5x-bash-shellshock.txt id PACKETSTORM:129260 last seen 2016-12-05 published 2014-11-25 reporter Saeid Bostandoust source https://packetstormsecurity.com/files/129260/PHP-5.x-Bash-Shellshock-Proof-Of-Concept.html title PHP 5.x / Bash Shellshock Proof Of Concept data source https://packetstormsecurity.com/files/download/150687/futurenetnxrg240-exec.txt id PACKETSTORM:150687 last seen 2018-12-08 published 2018-12-07 reporter Nassim Asrir source https://packetstormsecurity.com/files/150687/FutureNet-NXR-G240-Series-ShellShock-Command-Injection.html title FutureNet NXR-G240 Series ShellShock Command Injection data source https://packetstormsecurity.com/files/download/128554/shellshock_rce.rb.txt id PACKETSTORM:128554 last seen 2016-12-05 published 2014-10-03 reporter Fady Mohamed Osman source https://packetstormsecurity.com/files/128554/Shellshock-Bashed-CGI-RCE.html title Shellshock Bashed CGI RCE data source https://packetstormsecurity.com/files/download/134594/advantech_switch_bash_env_exec.rb.txt id PACKETSTORM:134594 last seen 2016-12-05 published 2015-12-02 reporter H D Moore source https://packetstormsecurity.com/files/134594/Advantech-Switch-Bash-Environment-Variable-Code-Injection.html title Advantech Switch Bash Environment Variable Code Injection data source https://packetstormsecurity.com/files/download/128442/gnu_b4sh_43_rci_v2.py.txt id PACKETSTORM:128442 last seen 2016-12-05 published 2014-09-26 reporter Claudio Viviani source https://packetstormsecurity.com/files/128442/Gnu-Bash-4.3-CGI-Scan-Remote-Command-Injection.html title Gnu Bash 4.3 CGI Scan Remote Command Injection data source https://packetstormsecurity.com/files/download/137376/ipfire_bashbug_exec.rb.txt id PACKETSTORM:137376 last seen 2016-12-05 published 2016-06-09 reporter h00die source https://packetstormsecurity.com/files/137376/IPFire-Bash-Environment-Variable-Injection-Shellshock.html title IPFire Bash Environment Variable Injection (Shellshock) data source https://packetstormsecurity.com/files/download/128447/apache_mod_cgi_bash_env_exec.rb.txt id PACKETSTORM:128447 last seen 2016-12-05 published 2014-09-26 reporter juan vazquez source https://packetstormsecurity.com/files/128447/Apache-mod_cgi-Bash-Environment-Variable-Code-Injection.html title Apache mod_cgi Bash Environment Variable Code Injection data source https://packetstormsecurity.com/files/download/128572/postfixsmtp-shellshock.txt id PACKETSTORM:128572 last seen 2016-12-05 published 2014-10-06 reporter fattymcwopr source https://packetstormsecurity.com/files/128572/Postfix-SMTP-Shellshock.html title Postfix SMTP Shellshock
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Saint
bid 70103 description ShellShock DHCP Server osvdb 112004 title ssdhcp type client bid 70103 description Bash environment variable code injection over HTTP id shell_bash osvdb 112004 title bash_shellshock_http type remote bid 70103 description Bash Environment Variable Handling Shell Command Injection Via CUPS id shell_bash osvdb 112004 title bash_shellshock_cups type remote
Seebug
bulletinFamily exploit description No description provided by source. id SSV:87317 last seen 2017-11-19 modified 2014-10-10 published 2014-10-10 reporter Root source https://www.seebug.org/vuldb/ssvid-87317 title OpenVPN 2.2.29 - ShellShock Exploit bulletinFamily exploit description <h1>1. 更新情况</h1><table><colgroup><col width="NaN%"><col width="NaN%"><col width="NaN%"></colgroup><tbody><tr><td>版本</td><td>时间</td><td>描述</td></tr><tr><td>第一版</td><td>2014/9/26 中午</td><td>第一版完成。</td></tr><tr><td>第二版</td><td>2014/9/26 下午</td><td>1. 新增:加速乐防御平台的攻击统计细节;<br>2. 完善:修复建议;</td></tr><tr><td>第三版</td><td>2014/9/27 下午</td><td>1. 破壳漏洞官网出现:shellshocker.net<br>2. 更新:漏洞概要;<br>3. 新增:补丁绕过后(CVE-2014-7169)的漏洞源码级分析;<br>4. 新增:ZoomEye第四组数据:QNAP NAS漏洞情况;<br>5. 新增:ZoomEye第五组数据:CheckPoint安全网关漏洞情况;<br>6. 完善:修复建议;<br>7. 新增:相关资源链接;</td></tr><tr><td>第四版</td><td>2014/10/14 晚</td><td>1. 更新:漏洞概要,添加更多漏洞说明;<br>2. 新增:ZoomEye第六组数据:Mirapoint邮件服务器漏洞情况;<br>3. 新增:ZoomEye第七组数据:AVAYA IP电话漏洞情况;<br>4. 更新:ZoomEye各组数据;<br>5. 完善:其他结论;</td></tr></tbody></table><h1>2. 漏洞概要</h1><p>2014年9月24日,Bash惊爆严重安全漏洞,编号为CVE-2014-6271,该漏洞将导致远程攻击者在受影响的系统上执行任意代码。</p><p>GNU Bash是一个为GNU计划编写的Unix Shell,广泛使用在Linux系统内,最初的功能仅是一个简单的基于终端的命令解释器。</p><p><strong>2.1. 漏洞描述</strong></p><p>GNU Bash 4.3及之前版本在评估某些构造的环境变量时存在安全漏洞,向环境变量值内的函数定义后添加多余的字符串会触发此漏洞,攻击者可利用此漏洞改变或绕过环境限制,以执行Shell命令。某些服务和应用允许未经身份验证的远程攻击者提供环境变量以利用此漏洞。此漏洞源于在调用Bash Shell之前可以用构造的值创建环境变量。这些变量可以包含代码,在Shell被调用后会被立即执行。</p><p>以下几点值得特别注意:</p><ul><li>这个漏洞的英文是:ShellShock,中文名被XCERT命名为:破壳漏洞。</li><li>来自CVSS的评分:破壳漏洞的严重性被定义为10级(最高),今年4月爆发的OpenSSL“心脏出血”漏洞才5级!</li><li>破壳漏洞存在有25年,和Bash年龄一样。</li></ul><p><strong>2.2. 漏洞影响</strong></p><p>GNU Bash <= 4.3,此漏洞可能会影响到:</p><p><b>注:以下几点参考自:</b></p><p><b><a href="https://raw.githubusercontent.com/citypw/DNFWAH/master/4/d4_0x07_DNFWAH_shellshock_bash_story_cve-2014-6271.txt">https://raw.githubusercontent.com/citypw/DNFWAH/master/4/d4_0x07_DNFWAH_shellshock_bash_story_cve-2014-6271.txt</a></b><b>,且结论经过我们验证有效。</b></p><ul><li>在SSHD配置中使用了ForceCommand用以限制远程用户执行命令,这个漏洞可以绕过限制去执行任何命令。一些Git和Subversion部署环境的限制Shell也会出现类似情况,OpenSSH通常用法没有问题。</li><li>Apache服务器使用mod_cgi或者mod_cgid,如果CGI脚本在BASH或者运行在子Shell里都会受影响。子Shell中使用C的system/popen,Python中使用os.system/os.popen,PHP中使用system/exec(CGI模式)和Perl中使用open/system的情况都会受此漏洞影响。</li><li>PHP脚本执行在mod_php不会受影响。</li><li>DHCP客户端调用Shell脚本接收远程恶意服务器的环境变量参数值的情况会被此漏洞利用。</li><li>守护进程和SUID程序在环境变量设置的环境下执行Shell脚本也可能受到影响。</li><li>任何其他程序执行Shell脚本时用Bash作为解释器都可能受影响。Shell脚本不导出的情况下不会受影响。</li></ul><p><strong>2.3. 漏洞验证</strong></p><p>可以使用如下命令来检查系统是否存在此漏洞(在本机Bash环境下运行):</p><p><b>破壳</b><b>1</b><b>,</b><b>CVE-2014-6271</b><b>,测试方法:</b></p><p>env x='() { :;}; echo vulnerable' bash -c "echo this is a test"</p><p>如执行结果如下表明有漏洞:</p><p>vulnerablethis is a test</p><p><b>注:</b><b>CVE-2014-6271</b><b>的漏洞源码级分析请参考:</b></p><p><b><a href="http://blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-analysis/">http://blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-analysis/</a></b></p><p>破壳1被修补后,又被绕过,出现了破壳2。</p><p><b>破壳</b><b>2</b><b>,</b><b>CVE-2014-7169</b><b>,测试方法:</b></p><p>env -i X='() { (a)=>\' bash -c 'echo date'; cat echo</p><p>如执行结果如下则仍然存在漏洞:</p><p>bash: X: line 1: syntax error near unexpected token ='bash: X: line 1: 'bash: error importing function definition for `X'Wed Sep 24 14:12:49 PDT 2014</p><p><b>注:</b><b>CVE-2014-7169</b><b>的漏洞源码级分析请参考:</b></p><p><b><a href="http://blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-patch-bypass-analysis/">http://blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-patch-bypass-analysis/</a></b></p><p> </p><p>除了这两个最受关注的破壳CVE外,在shellshocket.net上还看到了其他几个,相比之下影响会小很多,这里也简单说明下:</p><p><b>破壳</b><b>3</b><b>,</b><b>CVE</b><b>未知,测试方法:</b></p><p>env X=' () { }; echo vulnerable' bash -c 'date'</p><p>如果上面命令输出“vulnerable”,就意味着有漏洞。</p><p>这个和破壳1很像,没CVE,不做评价。</p><p><b>破壳</b><b>4</b><b>,</b><b>CVE-2014-7186</b><b>,测试方法:</b></p><p>bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||echo "CVE-2014-7186 vulnerable, redir_stack"</p><p>如果上面命令输出“CVE-2014-7186 vulnerable, redir_stack”,就意味着有漏洞。</p><p><b>破壳</b><b>5</b><b>,</b><b>CVE-2014-7187</b><b>,测试方法:</b></p><p>(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||echo "CVE-2014-7187 vulnerable, word_lineno"</p><p>如果上面命令输出“CVE-2014-7187 vulnerable, word_lineno”,就意味着有漏洞。</p><p><b>破壳</b><b>6</b><b>,</b><b>CVE-2014-6278</b><b>,测试方法:</b></p><p>shellshocker='() { echo vulnerable; }' bash -c shellshocker</p><p>如果上面命令输出“vulnerable”,就意味着有漏洞,否则会提示shellshocker未找到命令。</p><p>这个更像bash特性,居然当成了漏洞。</p><p><b>破壳</b><b>7</b><b>,</b><b>CVE-2014-6277</b><b>,测试方法:</b></p><p>bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable</p><p>如果上面命令输出“vulnerable”,就意味着有漏洞。</p><p>前两个破壳漏洞(尤其是第一个:CVE-2014-6271),影响面很直接很广,备受关注。之后的破壳漏洞在实际的测试过程中,发现比较鸡肋,但这说明一个很严重的问题:存在25年的Bash,并未经历真正的安全考验,这些全球流行的开源组件,恐怕都会存在这类安全问题。</p><h1>3. ZoomEye应急概要</h1><p>这个破壳漏洞确实是一个危害极大的漏洞,胜于今年4月8号爆发的“心脏出血”,但破壳漏洞的探测方式很复杂,不同的组件测试方式有所区别,很难评估一个影响面,但是可以肯定的是Bash<=4.3版本都受影响,而Bash在至少百亿级别数量的设备上使用,因为Bash是最流行的Linux Shell。</p><p>来自知道创宇的ZoomEye团队(钟馗之眼网络空间探知系统)通过几种方式的组合检测,得到了些影响结论。</p><p><b>注意:以下这些影响都是可被直接远程攻击的,属于高危级别!</b></p><p><strong>3.1. 第一组数据</strong></p><p><b>2014/9/26</b></p><p>我们发现深信服的应用交付管理系统存在破壳漏洞,经过ZoomEye的特殊探测,大陆地区范围内有<b>13254</b>台设备受到破壳漏洞影响,可被直接远程攻击。</p><p>利用破壳漏洞,可以直接拿到服务器root权限:</p><p><img alt="图片1" src="http://blog.knownsec.com/wp-content/uploads/2014/10/%E5%9B%BE%E7%89%871.png" width="1035" height="36"></p><p><b>2014/10/6</b></p><p>再次对这<b>13254</b>台漏洞设备进行验证,发现还有<b>908</b>台未修补,修补率是<b>93.1%</b>。</p><p><b>2014/10/14</b></p><p>第三次进行验证,发现还是<b>908</b>台未修补,看来这些设备被遗忘了?</p><p><strong>3.2. 第二组数据</strong></p><p><b>2014/9/26</b></p><p>经过ZoomEye的Fuzzing探测,Fuzzing列表如下:</p><p><br>/cgi-bin/load.cgi<br>/cgi-bin/gsweb.cgi<br>/cgi-bin/redirector.cgi<br>/cgi-bin/test.cgi<br>/cgi-bin/index.cgi<br>/cgi-bin/help.cgi<br>/cgi-bin/about.cgi<br>/cgi-bin/vidredirect.cgi<br>/cgi-bin/click.cgi<br>/cgi-bin/details.cgi<br>/cgi-bin/log.cgi<br>/cgi-bin/viewcontent.cgi<br>/cgi-bin/content.cgi<br>/cgi-bin/admin.cgi<br>/cgi-bin/webmail.cgi<br></p><p>全球大概存在<b>142000</b>主机受影响,需要注意的是由于Fuzzing规则不完备,得到的数量肯定会不完备,但这个数字至少可以看到可被直接远程攻击利用的面很大。</p><p><strong>3.3. 第三组数据</strong></p><p><b>2014/9/26</b></p><p>我们看到masscan的官方发布了消息:</p><p><a href="http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html">http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html</a></p><p>他们全球探测的结论是:至少<b>150</b><b>万</b>受影响,而这验证规则很简单,仅对主机的80端口进行直接请求,这个结论我们也在验证。</p><p><strong>3.4. 第四组数据</strong></p><p><b>2014/9/26</b></p><p><b>2014/10/6</b></p><p>我们发现QNAP公司的NAS存储设备存在破壳漏洞,ZoomEye针对QNAP NAS的8080端口进行大规模探测,目前的进度如下:</p><table><colgroup><col width="NaN%"><col width="NaN%"><col width="NaN%"><col width="NaN%"></colgroup><tbody><tr><td>国家/地区</td><td>9/26 受影响数量(台)</td><td>10/6 受影响数量(台)</td><td>修复率</td></tr><tr><td>大陆</td><td><b>1010</b></td><td>421</td><td>58.3%</td></tr><tr><td>台湾</td><td><b>4579</b></td><td>2020</td><td>55.9%</td></tr><tr><td>美国</td><td><b>4633</b></td><td>2363</td><td>49.0%</td></tr><tr><td>香港</td><td><b>2492</b></td><td>1284</td><td>48.5%</td></tr><tr><td>日本</td><td><b>5158</b></td><td>2708</td><td>47.5%</td></tr><tr><td>韩国</td><td><b>2130</b></td><td>1463</td><td>31.3%</td></tr></tbody></table><p>利用破壳漏洞,可以拿下QNAP NAS的admin权限(<b>最高</b>):</p><p><img alt="图片2" src="http://blog.knownsec.com/wp-content/uploads/2014/10/%E5%9B%BE%E7%89%872.png" width="886" height="34"></p><p>从上面图表的修复率可以看到,相比第一组通报过的数据,QNAP NAS的修复率平均不到49%。这反应慢了很多。</p><p><strong>3.5. 第五组数据</strong></p><p><b>2014/9/27</b></p><p>我们发现CheckPoint安全网关等产品存在破壳漏洞,ZoomEye针对CheckPoint相关设备的80端口进行大规模探测,在大陆地区发现<b>71</b>台受影响设备。</p><p>利用破壳漏洞,可以拿下CheckPoint相关设备root权限:</p><p><img alt="图片3" src="http://blog.knownsec.com/wp-content/uploads/2014/10/%E5%9B%BE%E7%89%873.png" width="804" height="32"></p><p><b>2014/10/14</b></p><p>再次验证后发现还有<b>52</b>台受影响。</p><p><strong>3.6. 第六组数据</strong></p><p><b>2014/9/27</b></p><p>我们发现Mirapoint邮件服务器(Message Server)存在破壳漏洞,ZoomEye针对Mirapoint邮件服务器的443端口进行大规模探测,在大陆地区发现<b>36</b>台受影响设备。乌云网站针对该设备漏洞也进行报道,并发布了漏洞预警。</p><p>利用破壳漏洞,可以直接拿下Mirapoint邮件服务器权限,并能轻易提权为root。</p><p><b>2014/10/14</b></p><p>再次验证后发现还有<b>5</b>台受影响。</p><p><strong>3.7. 第七组数据</strong></p><p><b>2014/10/6</b></p><p>通过XCERT内部的反馈,我们验证了AVAYA IP电话存在破壳漏洞的事实,ZoomEye针对AVAYA IP电话的443端口进行大规模探测,在大陆地区发现<b>4</b>台受影响设备。</p><p>利用破壳漏洞,可以直接拿下AVAYA IP电话服务器权限。</p><p><b>2014/10/14</b></p><p>再次验证后发现这<b>4</b>台还未修补。</p><p> </p><p>可以从这几组数据看到,探测方式各不相同,如果继续扩展可以逐步描绘出越来越清晰的影响面(可直接远程攻击),更多成果还在继续。</p><p>通过这几组数据还可以得出一个结论:一些没曝光/通报的设备,修补效率很低;一些已经曝光/通报的设备,也没法做到100%修补。</p><h1>4. 加速乐云防御平台应急概要</h1><p>截止时间<b>2014/9/26 12:00</b>的统计如下:</p><p>来自知道创宇加速乐团队的应急情况,拦截了<b>1759</b>次破壳漏洞攻击!</p><p>下图为<b>2014/9/25</b>破壳漏洞按小时活跃趋势图:</p><p><img alt="QQ图片20141015161422" src="http://blog.knownsec.com/wp-content/uploads/2014/10/QQ%E5%9B%BE%E7%89%8720141015161422.jpg" width="596" height="391"></p><p>从图中可见,加速乐云防御平台在漏洞爆发之前就已经添加规则。</p><p><b>2014/9/25</b>拦截情况如下:</p><ul><li>总共拦截数:1,759次</li><li>受攻击站点数:214个</li><li>攻击成功站点数:0个</li><li>发起攻击IP数:6个</li></ul><p>从加速乐云防御平台可以侧面看出,这种漏洞的疯狂情况。</p><h1>5. 其他结论</h1><p>通过我们连夜分析,还有一些可靠结论可以作为参考:</p><p><strong>5.1. 破壳漏洞的蠕虫已经开始全球蔓延,应该是利用masscan来进行大规模植入的。</strong></p><p>蠕虫代码在这:</p><p><a href="https://gist.github.com/anonymous/929d622f3b36b00c0be1">https://gist.github.com/anonymous/929d622f3b36b00c0be1</a></p><p>更多关于破壳蠕虫信息,可以参考安天的分析:</p><p>《“破壳”漏洞相关恶意代码样本分析报告——“破壳”相关分析之二》</p><p><a href="http://www.antiy.com/response/Analysis_Report_on_Sample_Set_of_Bash_Shellshock.html">http://www.antiy.com/response/Analysis_Report_on_Sample_Set_of_Bash_Shellshock.html</a></p><p><strong>5.2. DHCP服务受影响,这个意味着这个破壳漏洞绝不仅Linux服务器的事!</strong></p><p>POC细节在这:</p><p><a href="https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/">https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/</a></p><p><a href="http://d.uijn.nl/?p=32">http://d.uijn.nl/?p=32</a></p><p><strong>5.3. 基于SIP协议的破壳漏洞扫描也开始了!</strong></p><p><a href="https://github.com/zaf/sipshock">https://github.com/zaf/sipshock</a></p><p><strong>5.4. 在特定的配置下,OpenVPN也存在破壳漏洞。</strong></p><p><a href="http://www.darknet.org.uk/2014/10/openvpn-vulnerable-to-shellshock-exploit/">http://www.darknet.org.uk/2014/10/openvpn-vulnerable-to-shellshock-exploit/</a></p><p><strong>5.5. 全球范围内关于破壳漏洞利用已公布的细节可以在这看到:</strong></p><p><a href="https://github.com/mubix/shellshocker-pocs">https://github.com/mubix/shellshocker-pocs</a></p><p>一些邮件服务如:Exim、Qmail、Procmail、Postfix等。</p><p>一些大厂商:Cisco、Juniper、cPanel等。</p><h1>6. 修复建议</h1><p>现在可以按照下面方式进行Bash的升级修复:</p><table><colgroup><col width="NaN%"><col width="NaN%"></colgroup><tbody><tr><td>操作系统</td><td>升级方式</td></tr><tr><td>Ubuntu/Debian</td><td>apt-get update<br>apt-get install bash</td></tr><tr><td>RedHat/CentOS/Fedora</td><td>yum update -y bash</td></tr><tr><td>Arch Linux</td><td>pacman -Syu</td></tr><tr><td>OS X</td><td>brew update<br>brew install bash<br>sudo sh -c 'echo "/usr/local/bin/bash" >> /etc/shells'<br>chsh -s /usr/local/bin/bash<br>sudo mv /bin/bash /bin/bash-backup<br>sudo ln -s /usr/local/bin/bash /bin/bash</td></tr><tr><td>MacPorts</td><td>sudo port self update<br>sudo port upgrade bash</td></tr></tbody></table><p> </p><p>建议升级后按上面的方法诊断是否补丁完全。</p><h1>7. 相关资源链接</h1><ul><li>ShellShock官网:<a href="https://shellshocker.net/">https://shellshocker.net/</a></li></ul><p>来自<a href="http://blog.knownsec.com/2014/10/shellshock_response_profile_v4/">http://blog.knownsec.com/2014/10/shellshock_response_profile_v4/</a></p> id SSV:88877 last seen 2017-11-19 modified 2014-09-26 published 2014-09-26 reporter Root source https://www.seebug.org/vuldb/ssvid-88877 title Bash 4.3 远程命令执行漏洞 (破壳) bulletinFamily exploit description No description provided by source. id SSV:87270 last seen 2017-11-19 modified 2014-09-29 published 2014-09-29 reporter Root source https://www.seebug.org/vuldb/ssvid-87270 title GNU bash Environment Variable Command Injection (MSF) bulletinFamily exploit description No description provided by source. id SSV:87331 last seen 2017-11-19 modified 2014-11-13 published 2014-11-13 reporter Root source https://www.seebug.org/vuldb/ssvid-87331 title CUPS Filter Bash Environment Variable Code Injection bulletinFamily exploit description No description provided by source. id SSV:87294 last seen 2017-11-19 modified 2014-10-10 published 2014-10-10 reporter Root source https://www.seebug.org/vuldb/ssvid-87294 title IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection exploit
The Hacker News
id THN:EC04962528DE0054EC31C2501125E303 last seen 2018-01-27 modified 2014-11-17 published 2014-11-17 reporter Swati Khandelwal source https://thehackernews.com/2014/11/bashlite-malware-leverages-shellshock.html title BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox id THN:1859301C4A1DFB7CAC529CC0D8AA84DD last seen 2018-01-27 modified 2014-09-25 published 2014-09-24 reporter Mohit Kumar source https://thehackernews.com/2014/09/bash-shell-vulnerability-shellshock.html title Remotely Exploitable 'Bash Shell' Vulnerability Affects Linux, Unix and Apple Mac OS X id THN:491E94A14CDEFCFFF9753033F61D1E0E last seen 2018-01-27 modified 2014-09-27 published 2014-09-26 reporter Mohit Kumar source https://thehackernews.com/2014/09/Shellshock-Bash-Vulnerability-exploit.html title Hackers Using 'Shellshock' Bash Vulnerability to Launch Botnet Attacks
References
- http://advisories.mageia.org/MGASA-2014-0388.html
- http://advisories.mageia.org/MGASA-2014-0388.html
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
- http://jvn.jp/en/jp/JVN55667175/index.html
- http://jvn.jp/en/jp/JVN55667175/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
- http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
- http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
- http://linux.oracle.com/errata/ELSA-2014-1293.html
- http://linux.oracle.com/errata/ELSA-2014-1293.html
- http://linux.oracle.com/errata/ELSA-2014-1294.html
- http://linux.oracle.com/errata/ELSA-2014-1294.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00028.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00028.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00037.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00037.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00049.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00049.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
- http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
- http://marc.info/?l=bugtraq&m=141216207813411&w=2
- http://marc.info/?l=bugtraq&m=141216207813411&w=2
- http://marc.info/?l=bugtraq&m=141216668515282&w=2
- http://marc.info/?l=bugtraq&m=141216668515282&w=2
- http://marc.info/?l=bugtraq&m=141235957116749&w=2
- http://marc.info/?l=bugtraq&m=141235957116749&w=2
- http://marc.info/?l=bugtraq&m=141319209015420&w=2
- http://marc.info/?l=bugtraq&m=141319209015420&w=2
- http://marc.info/?l=bugtraq&m=141330425327438&w=2
- http://marc.info/?l=bugtraq&m=141330425327438&w=2
- http://marc.info/?l=bugtraq&m=141330468527613&w=2
- http://marc.info/?l=bugtraq&m=141330468527613&w=2
- http://marc.info/?l=bugtraq&m=141345648114150&w=2
- http://marc.info/?l=bugtraq&m=141345648114150&w=2
- http://marc.info/?l=bugtraq&m=141383026420882&w=2
- http://marc.info/?l=bugtraq&m=141383026420882&w=2
- http://marc.info/?l=bugtraq&m=141383081521087&w=2
- http://marc.info/?l=bugtraq&m=141383081521087&w=2
- http://marc.info/?l=bugtraq&m=141383138121313&w=2
- http://marc.info/?l=bugtraq&m=141383138121313&w=2
- http://marc.info/?l=bugtraq&m=141383196021590&w=2
- http://marc.info/?l=bugtraq&m=141383196021590&w=2
- http://marc.info/?l=bugtraq&m=141383244821813&w=2
- http://marc.info/?l=bugtraq&m=141383244821813&w=2
- http://marc.info/?l=bugtraq&m=141383304022067&w=2
- http://marc.info/?l=bugtraq&m=141383304022067&w=2
- http://marc.info/?l=bugtraq&m=141383353622268&w=2
- http://marc.info/?l=bugtraq&m=141383353622268&w=2
- http://marc.info/?l=bugtraq&m=141383465822787&w=2
- http://marc.info/?l=bugtraq&m=141383465822787&w=2
- http://marc.info/?l=bugtraq&m=141450491804793&w=2
- http://marc.info/?l=bugtraq&m=141450491804793&w=2
- http://marc.info/?l=bugtraq&m=141576728022234&w=2
- http://marc.info/?l=bugtraq&m=141576728022234&w=2
- http://marc.info/?l=bugtraq&m=141577137423233&w=2
- http://marc.info/?l=bugtraq&m=141577137423233&w=2
- http://marc.info/?l=bugtraq&m=141577241923505&w=2
- http://marc.info/?l=bugtraq&m=141577241923505&w=2
- http://marc.info/?l=bugtraq&m=141577297623641&w=2
- http://marc.info/?l=bugtraq&m=141577297623641&w=2
- http://marc.info/?l=bugtraq&m=141585637922673&w=2
- http://marc.info/?l=bugtraq&m=141585637922673&w=2
- http://marc.info/?l=bugtraq&m=141694386919794&w=2
- http://marc.info/?l=bugtraq&m=141694386919794&w=2
- http://marc.info/?l=bugtraq&m=141879528318582&w=2
- http://marc.info/?l=bugtraq&m=141879528318582&w=2
- http://marc.info/?l=bugtraq&m=141879528318582&w=2
- http://marc.info/?l=bugtraq&m=141879528318582&w=2
- http://marc.info/?l=bugtraq&m=142113462216480&w=2
- http://marc.info/?l=bugtraq&m=142113462216480&w=2
- http://marc.info/?l=bugtraq&m=142113462216480&w=2
- http://marc.info/?l=bugtraq&m=142113462216480&w=2
- http://marc.info/?l=bugtraq&m=142118135300698&w=2
- http://marc.info/?l=bugtraq&m=142118135300698&w=2
- http://marc.info/?l=bugtraq&m=142118135300698&w=2
- http://marc.info/?l=bugtraq&m=142118135300698&w=2
- http://marc.info/?l=bugtraq&m=142118135300698&w=2
- http://marc.info/?l=bugtraq&m=142118135300698&w=2
- http://marc.info/?l=bugtraq&m=142358026505815&w=2
- http://marc.info/?l=bugtraq&m=142358026505815&w=2
- http://marc.info/?l=bugtraq&m=142358026505815&w=2
- http://marc.info/?l=bugtraq&m=142358026505815&w=2
- http://marc.info/?l=bugtraq&m=142358078406056&w=2
- http://marc.info/?l=bugtraq&m=142358078406056&w=2
- http://marc.info/?l=bugtraq&m=142546741516006&w=2
- http://marc.info/?l=bugtraq&m=142546741516006&w=2
- http://marc.info/?l=bugtraq&m=142719845423222&w=2
- http://marc.info/?l=bugtraq&m=142719845423222&w=2
- http://marc.info/?l=bugtraq&m=142719845423222&w=2
- http://marc.info/?l=bugtraq&m=142719845423222&w=2
- http://marc.info/?l=bugtraq&m=142721162228379&w=2
- http://marc.info/?l=bugtraq&m=142721162228379&w=2
- http://marc.info/?l=bugtraq&m=142721162228379&w=2
- http://marc.info/?l=bugtraq&m=142721162228379&w=2
- http://marc.info/?l=bugtraq&m=142805027510172&w=2
- http://marc.info/?l=bugtraq&m=142805027510172&w=2
- http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html
- http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html
- http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html
- http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html
- http://packetstormsecurity.com/files/128573/Apache-mod_cgi-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/128573/Apache-mod_cgi-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/137376/IPFire-Bash-Environment-Variable-Injection-Shellshock.html
- http://packetstormsecurity.com/files/137376/IPFire-Bash-Environment-Variable-Injection-Shellshock.html
- http://packetstormsecurity.com/files/161107/SonicWall-SSL-VPN-Shellshock-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/161107/SonicWall-SSL-VPN-Shellshock-Remote-Code-Execution.html
- http://rhn.redhat.com/errata/RHSA-2014-1293.html
- http://rhn.redhat.com/errata/RHSA-2014-1293.html
- http://rhn.redhat.com/errata/RHSA-2014-1294.html
- http://rhn.redhat.com/errata/RHSA-2014-1294.html
- http://rhn.redhat.com/errata/RHSA-2014-1295.html
- http://rhn.redhat.com/errata/RHSA-2014-1295.html
- http://rhn.redhat.com/errata/RHSA-2014-1354.html
- http://rhn.redhat.com/errata/RHSA-2014-1354.html
- http://seclists.org/fulldisclosure/2014/Oct/0
- http://seclists.org/fulldisclosure/2014/Oct/0
- http://secunia.com/advisories/58200
- http://secunia.com/advisories/58200
- http://secunia.com/advisories/59272
- http://secunia.com/advisories/59272
- http://secunia.com/advisories/59737
- http://secunia.com/advisories/59737
- http://secunia.com/advisories/59907
- http://secunia.com/advisories/59907
- http://secunia.com/advisories/60024
- http://secunia.com/advisories/60024
- http://secunia.com/advisories/60034
- http://secunia.com/advisories/60034
- http://secunia.com/advisories/60044
- http://secunia.com/advisories/60044
- http://secunia.com/advisories/60055
- http://secunia.com/advisories/60055
- http://secunia.com/advisories/60063
- http://secunia.com/advisories/60063
- http://secunia.com/advisories/60193
- http://secunia.com/advisories/60193
- http://secunia.com/advisories/60325
- http://secunia.com/advisories/60325
- http://secunia.com/advisories/60433
- http://secunia.com/advisories/60433
- http://secunia.com/advisories/60947
- http://secunia.com/advisories/60947
- http://secunia.com/advisories/61065
- http://secunia.com/advisories/61065
- http://secunia.com/advisories/61128
- http://secunia.com/advisories/61128
- http://secunia.com/advisories/61129
- http://secunia.com/advisories/61129
- http://secunia.com/advisories/61188
- http://secunia.com/advisories/61188
- http://secunia.com/advisories/61283
- http://secunia.com/advisories/61283
- http://secunia.com/advisories/61287
- http://secunia.com/advisories/61287
- http://secunia.com/advisories/61291
- http://secunia.com/advisories/61291
- http://secunia.com/advisories/61312
- http://secunia.com/advisories/61312
- http://secunia.com/advisories/61313
- http://secunia.com/advisories/61313
- http://secunia.com/advisories/61328
- http://secunia.com/advisories/61328
- http://secunia.com/advisories/61442
- http://secunia.com/advisories/61442
- http://secunia.com/advisories/61471
- http://secunia.com/advisories/61471
- http://secunia.com/advisories/61485
- http://secunia.com/advisories/61485
- http://secunia.com/advisories/61503
- http://secunia.com/advisories/61503
- http://secunia.com/advisories/61542
- http://secunia.com/advisories/61542
- http://secunia.com/advisories/61547
- http://secunia.com/advisories/61547
- http://secunia.com/advisories/61550
- http://secunia.com/advisories/61550
- http://secunia.com/advisories/61552
- http://secunia.com/advisories/61552
- http://secunia.com/advisories/61565
- http://secunia.com/advisories/61565
- http://secunia.com/advisories/61603
- http://secunia.com/advisories/61603
- http://secunia.com/advisories/61633
- http://secunia.com/advisories/61633
- http://secunia.com/advisories/61641
- http://secunia.com/advisories/61641
- http://secunia.com/advisories/61643
- http://secunia.com/advisories/61643
- http://secunia.com/advisories/61654
- http://secunia.com/advisories/61654
- http://secunia.com/advisories/61676
- http://secunia.com/advisories/61676
- http://secunia.com/advisories/61700
- http://secunia.com/advisories/61700
- http://secunia.com/advisories/61703
- http://secunia.com/advisories/61703
- http://secunia.com/advisories/61711
- http://secunia.com/advisories/61711
- http://secunia.com/advisories/61715
- http://secunia.com/advisories/61715
- http://secunia.com/advisories/61780
- http://secunia.com/advisories/61780
- http://secunia.com/advisories/61816
- http://secunia.com/advisories/61816
- http://secunia.com/advisories/61855
- http://secunia.com/advisories/61855
- http://secunia.com/advisories/61857
- http://secunia.com/advisories/61857
- http://secunia.com/advisories/61873
- http://secunia.com/advisories/61873
- http://secunia.com/advisories/62228
- http://secunia.com/advisories/62228
- http://secunia.com/advisories/62312
- http://secunia.com/advisories/62312
- http://secunia.com/advisories/62343
- http://secunia.com/advisories/62343
- http://support.apple.com/kb/HT6495
- http://support.apple.com/kb/HT6495
- http://support.novell.com/security/cve/CVE-2014-6271.html
- http://support.novell.com/security/cve/CVE-2014-6271.html
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
- http://www.debian.org/security/2014/dsa-3032
- http://www.debian.org/security/2014/dsa-3032
- http://www.kb.cert.org/vuls/id/252743
- http://www.kb.cert.org/vuls/id/252743
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:164
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:164
- http://www.novell.com/support/kb/doc.php?id=7015701
- http://www.novell.com/support/kb/doc.php?id=7015701
- http://www.novell.com/support/kb/doc.php?id=7015721
- http://www.novell.com/support/kb/doc.php?id=7015721
- http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
- http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
- http://www.qnap.com/i/en/support/con_show.php?cid=61
- http://www.qnap.com/i/en/support/con_show.php?cid=61
- http://www.securityfocus.com/archive/1/533593/100/0/threaded
- http://www.securityfocus.com/archive/1/533593/100/0/threaded
- http://www.securityfocus.com/bid/70103
- http://www.securityfocus.com/bid/70103
- http://www.ubuntu.com/usn/USN-2362-1
- http://www.ubuntu.com/usn/USN-2362-1
- http://www.us-cert.gov/ncas/alerts/TA14-268A
- http://www.us-cert.gov/ncas/alerts/TA14-268A
- http://www.vmware.com/security/advisories/VMSA-2014-0010.html
- http://www.vmware.com/security/advisories/VMSA-2014-0010.html
- http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
- http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915
- http://www-01.ibm.com/support/docview.wss?uid=swg21685541
- http://www-01.ibm.com/support/docview.wss?uid=swg21685541
- http://www-01.ibm.com/support/docview.wss?uid=swg21685604
- http://www-01.ibm.com/support/docview.wss?uid=swg21685604
- http://www-01.ibm.com/support/docview.wss?uid=swg21685733
- http://www-01.ibm.com/support/docview.wss?uid=swg21685733
- http://www-01.ibm.com/support/docview.wss?uid=swg21685749
- http://www-01.ibm.com/support/docview.wss?uid=swg21685749
- http://www-01.ibm.com/support/docview.wss?uid=swg21685914
- http://www-01.ibm.com/support/docview.wss?uid=swg21685914
- http://www-01.ibm.com/support/docview.wss?uid=swg21686084
- http://www-01.ibm.com/support/docview.wss?uid=swg21686084
- http://www-01.ibm.com/support/docview.wss?uid=swg21686131
- http://www-01.ibm.com/support/docview.wss?uid=swg21686131
- http://www-01.ibm.com/support/docview.wss?uid=swg21686246
- http://www-01.ibm.com/support/docview.wss?uid=swg21686246
- http://www-01.ibm.com/support/docview.wss?uid=swg21686445
- http://www-01.ibm.com/support/docview.wss?uid=swg21686445
- http://www-01.ibm.com/support/docview.wss?uid=swg21686447
- http://www-01.ibm.com/support/docview.wss?uid=swg21686447
- http://www-01.ibm.com/support/docview.wss?uid=swg21686479
- http://www-01.ibm.com/support/docview.wss?uid=swg21686479
- http://www-01.ibm.com/support/docview.wss?uid=swg21686494
- http://www-01.ibm.com/support/docview.wss?uid=swg21686494
- http://www-01.ibm.com/support/docview.wss?uid=swg21687079
- http://www-01.ibm.com/support/docview.wss?uid=swg21687079
- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315
- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315
- https://access.redhat.com/articles/1200223
- https://access.redhat.com/articles/1200223
- https://access.redhat.com/node/1200223
- https://access.redhat.com/node/1200223
- https://bugzilla.redhat.com/show_bug.cgi?id=1141597
- https://bugzilla.redhat.com/show_bug.cgi?id=1141597
- https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes
- https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes
- https://kb.bluecoat.com/index?page=content&id=SA82
- https://kb.bluecoat.com/index?page=content&id=SA82
- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648
- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648
- https://kc.mcafee.com/corporate/index?page=content&id=SB10085
- https://kc.mcafee.com/corporate/index?page=content&id=SB10085
- https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
- https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
- https://support.apple.com/kb/HT6535
- https://support.apple.com/kb/HT6535
- https://support.citrix.com/article/CTX200217
- https://support.citrix.com/article/CTX200217
- https://support.citrix.com/article/CTX200223
- https://support.citrix.com/article/CTX200223
- https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
- https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183
- https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts
- https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts
- https://www.arista.com/en/support/advisories-notices/security-advisories/1008-security-advisory-0006
- https://www.arista.com/en/support/advisories-notices/security-advisories/1008-security-advisory-0006
- https://www.exploit-db.com/exploits/34879/
- https://www.exploit-db.com/exploits/34879/
- https://www.exploit-db.com/exploits/37816/
- https://www.exploit-db.com/exploits/37816/
- https://www.exploit-db.com/exploits/38849/
- https://www.exploit-db.com/exploits/38849/
- https://www.exploit-db.com/exploits/39918/
- https://www.exploit-db.com/exploits/39918/
- https://www.exploit-db.com/exploits/40619/
- https://www.exploit-db.com/exploits/40619/
- https://www.exploit-db.com/exploits/40938/
- https://www.exploit-db.com/exploits/40938/
- https://www.exploit-db.com/exploits/42938/
- https://www.exploit-db.com/exploits/42938/
- https://www.suse.com/support/shellshock/
- https://www.suse.com/support/shellshock/