Vulnerabilities > CVE-2014-7186 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in GNU Bash

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
gnu
CWE-119
critical
nessus
exploit available

Summary

The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionGNU bash 4.3.11 Environment Variable dhclient Exploit. CVE-2014-3659,CVE-2014-3671,CVE-2014-6271,CVE-2014-6277,CVE-2014-62771,CVE-2014-6278,CVE-2014-7169,CVE...
idEDB-ID:34860
last seen2016-02-04
modified2014-10-02
published2014-10-02
reporter@0x00string
sourcehttps://www.exploit-db.com/download/34860/
titleGNU bash 4.3.11 Environment Variable dhclient Exploit

Nessus

  • NASL familyCISCO
    NASL idCISCO-SA-20140926-BASH-NXOS.NASL
    descriptionAccording to its self-reported version, the remote NX-OS device is affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen2020-06-01
    modified2020-06-02
    plugin id78693
    published2014-10-27
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78693
    titleCisco NX-OS GNU Bash Environment Variable Command Injection Vulnerability (cisco-sa-20140926-bash) (Shellshock)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(78693);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/29 10:38:39");
    
      script_cve_id(
        "CVE-2014-6271",
        "CVE-2014-6277",
        "CVE-2014-6278",
        "CVE-2014-7169",
        "CVE-2014-7186",
        "CVE-2014-7187"
      );
      script_bugtraq_id(
        70103,
        70137,
        70152,
        70154,
        70165,
        70166
      );
      script_xref(name:"IAVA", value:"2014-A-0142");
      script_xref(name:"CISCO-BUG-ID", value:"CSCur01099");
      script_xref(name:"CISCO-BUG-ID", value:"CSCur04438");
      script_xref(name:"CISCO-BUG-ID", value:"CSCur04510");
      script_xref(name:"CISCO-BUG-ID", value:"CSCur05529");
      script_xref(name:"CISCO-BUG-ID", value:"CSCur05610");
      script_xref(name:"CISCO-BUG-ID", value:"CSCur05017");
      script_xref(name:"CISCO-BUG-ID", value:"CSCuq98748");
      script_xref(name:"CISCO-BUG-ID", value:"CSCur02102");
      script_xref(name:"CISCO-BUG-ID", value:"CSCur02700");
      script_xref(name:"CISCO-SA", value:"cisco-sa-20140926-bash");
      script_xref(name:"CERT", value:"252743");
      script_xref(name:"EDB-ID", value:"34765");
      script_xref(name:"EDB-ID", value:"34766");
      script_xref(name:"EDB-ID", value:"34777");
    
      script_name(english:"Cisco NX-OS GNU Bash Environment Variable Command Injection Vulnerability (cisco-sa-20140926-bash) (Shellshock)");
      script_summary(english:"Checks the NX-OS version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is running a version of NX-OS that is affected by
    Shellshock.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the remote NX-OS device is
    affected by a command injection vulnerability in GNU Bash known as
    Shellshock, which is due to the processing of trailing strings after
    function definitions in the values of environment variables. This
    allows a remote attacker to execute arbitrary code via environment
    variable manipulation depending on the configuration of the system.");
      # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?df19d2c1");
      script_set_attribute(attribute:"see_also", value:"http://seclists.org/oss-sec/2014/q3/650");
      script_set_attribute(attribute:"see_also", value:"https://www.invisiblethreat.ca/post/shellshock/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to the suggested fixed version referred to in the relevant
    Cisco bug ID. Note that some fixed versions have not been released
    yet. Please contact the vendor for details.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/10/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/27");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CISCO");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 Tenable Network Security, Inc.");
    
      script_dependencies("cisco_nxos_version.nasl");
      script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Device", "Host/Cisco/NX-OS/Model");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    device = get_kb_item_or_exit("Host/Cisco/NX-OS/Device");
    model = get_kb_item_or_exit("Host/Cisco/NX-OS/Model");
    version = get_kb_item_or_exit("Host/Cisco/NX-OS/Version");
    
    fixed = '';
    bug_ID = '';
    
    # MDS 9000 NX-OS prior to 5.0(8a) / 5.2(8e) / 6.2(9a)
    if (device == 'MDS' && model =~ "^9[0-9][0-9][0-9]([^0-9]|$)")
    {
      bug_ID = 'CSCur01099';
    
      if (
        version =~ "^[2-4]\." ||
        version =~ "^5\.0\([0-7][A-Za-z]?\)" ||
        version =~ "^5\.0\(8\)"
      ) fixed = '5.0(8a)';
    
      if (
        version =~ "^5\.2\([0-7][A-Za-z]?\)" ||
        version =~ "^5\.2\(8[A-Da-d]?\)"
      ) fixed = '5.2(8e)';
    
      if (
        version =~ "^6\.2\([0-8][A-Za-z]?\)" ||
        version =~ "^6\.2\(9\)"
      ) fixed = '6.2(9a)';
    }
    
    # Nexus 1000V, only valid known version affected is 5.2(1)SV3(1.1)
    if (device == 'Nexus' && model =~ "^1[0-9][0-9][0-9][Vv]$")
    {
      bug_ID = 'CSCur04438';
    
      if (
        version =~ "^5\.2\(1\)SV3\(1\.1\)"
      ) fixed = 'Contact Vendor';
    }
    
    # Nexus 1010, versions affected are 4.2(1)SP1(6.2), and 9.2(1)SP1(4.8)
    if (device == 'Nexus' && model =~ "^101[0-9]([^0-9]|$)")
    {
      bug_ID = 'CSCur04510';
    
      if (
        version =~ "^4\.2\(1\)SP1\(6\.2\)" ||
        version =~ "^9\.2\(1\)SP1\(4\.8\)"
      ) fixed = '5.2(1)SP1(7.2)';
    }
    
    # Nexus 3000 fixed versions 6.0(2)U2(6) / 6.0(2)U3(4) / 6.0(2)U4(2) / 6.0(2)U5(1)
    # Nexus 3500 fixed versions 6.0(2)A3(4) / 6.0(2)A4(2) / 6.0(2)A5(1)
    # The A5 and U5 versions appear to be the first release for those branches.
    if (device == 'Nexus' && model =~ "^3[0-9][0-9][0-9]([^0-9]|$)")
    {
      bug_ID = 'CSCur05529';
    
      if (
        version =~ "^5\.0\(3\)U" ||
        version =~ "^6\.0\(2\)U1\(" ||
        version =~ "^6\.0\(2\)U2\([0-5]\)"
      ) fixed = "6.0(2)U2(6)";
    
      if (
        version =~ "^6\.0\(2\)U3\([0-3]\)"
      ) fixed = "6.0(2)U3(4)";
    
      if (
        version =~ "^6\.0\(2\)U4\([01]\)"
      ) fixed = "6.0(2)U4(2) / 6.0(2)U5(1)";
    
      if (
        version =~ "^5\.0\(3\)A" ||
        version =~ "^6\.0\(2\)A[12]\(" ||
        version =~ "^6\.0\(2\)A3\([0-3]\)"
      ) fixed = "6.0(2)A3(4)";
    
      if (
        version =~ "^6\.0\(2\)A4\(1\)"
      ) fixed = "6.0(2)A4(2) / 6.0(2)A5(1)";
    }
    
    # Nexus 4000 4.1(2)E1(1) known affected release
    if (device == 'Nexus' && model =~ "^4[0-9][0-9][0-9]([^0-9]|$)")
    {
      bug_ID = 'CSCur05610';
    
      if (
        version =~ "^4\.1\(2\)E1\(1\)"
      ) fixed = "Contact Vendor";
    }
    
    # Nexus 5000 / 6000, 5.2(1)N1(8a) / 6.0(2)N2(5) / 7.0(3)N1(0.125)
    #                    7.0(4)N1(1) / 7.1(0)N1(0.349)
    # Known affected releases
    if (device == 'Nexus' && model =~ "^56[0-5][0-9][0-9]([^0-9]|$)")
    {
      bug_ID = 'CSCur05017';
    
      if (
        version =~ "^5\.2\(1\)N1\(8a\)" ||
        version =~ "^6\.0\(2\)N2\(5\)" ||
        version =~ "^7\.0\(3\)N1\(0\.125\)" ||
        version =~ "^7\.0\(4\)N1\(1\)" ||
        version =~ "^7\.1\(0\)N1\(0\.349\)"
      ) fixed = "Contact Vendor";
    }
    
    # Nexus 7000 fixed in 5.2(9a) / 6.1(5a) / 6.2(8b) / 6.2(10) and above
    if (device == 'Nexus' && model =~ "^7[0-6][0-9][0-9]([^0-9]|$)")
    {
      bug_ID = 'CSCuq98748';
    
      if (
        version =~ "^4\." ||
        version =~ "^5\.[01]\(" ||
        version =~ "^5\.2\([0-9]\)"
      ) fixed = "5.2(9a)";
    
      if (
        version =~ "^6\.0\(" ||
        version =~ "^6\.1\([0-4][Aa]?\)" ||
        version =~ "^6\.1\(5\)"
      ) fixed = "6.1(5a)";
    
      if (
        version =~ "^6\.2\([0-8][Aa]?\)"
      ) fixed = "6.2(8b) / 6.2(10)";
    }
    
    # Nexus 9000 known affected 6.1(2)I2(2b) / 7.2(0.1)VB(0.1)
    # Nexus 9000 ACI version prior to 11.0(1d) affected
    if (device == 'Nexus' && model =~ "^9[0-6][0-9][0-9]([^0-9]|$)")
    {
      if (
        version =~ "^6\.1\(2\)I2\(2b\)" ||
        version =~ "^7\.2\(0\.1\)VB\(0\.1\)"
      )
      {
        bug_ID = 'CSCur02700';
        fixed = "6.1(2)I3(1)";
      }
    
      if (
        version =~ "^11\.0\(1[bc]\)"
      )
      {
        bug_ID = 'CSCur02102';
        fixed = "11.0(1d)";
      }
    }
    
    if (!empty(fixed) && !empty(bug_ID))
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Cisco bug ID      : ' + bug_ID +
          '\n  Model             : ' + device + ' ' + model +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fixed +
          '\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1354.NASL
    descriptionAn updated rhev-hypervisor6 package that fixes several security issues is now available. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. (CVE-2014-1568) It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. (CVE-2014-7186) An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash. (CVE-2014-7187) Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters of CVE-2014-1568. The CVE-2014-7186 and CVE-2014-7187 issues were discovered by Florian Weimer of Red Hat Product Security. Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package.
    last seen2020-04-18
    modified2014-11-08
    plugin id79053
    published2014-11-08
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79053
    titleRHEL 6 : rhev-hypervisor6 (RHSA-2014:1354) (Shellshock)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2014:1354. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79053);
      script_version("1.24");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/17");
    
      script_cve_id("CVE-2014-1568", "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187");
      script_xref(name:"RHSA", value:"2014:1354");
      script_xref(name:"IAVA", value:"2014-A-0142");
    
      script_name(english:"RHEL 6 : rhev-hypervisor6 (RHSA-2014:1354) (Shellshock)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An updated rhev-hypervisor6 package that fixes several security issues
    is now available.
    
    Red Hat Product Security has rated this update as having Critical
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    The rhev-hypervisor6 package provides a Red Hat Enterprise
    Virtualization Hypervisor ISO disk image. The Red Hat Enterprise
    Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine
    (KVM) hypervisor. It includes everything necessary to run and manage
    virtual machines: a subset of the Red Hat Enterprise Linux operating
    environment and the Red Hat Enterprise Virtualization Agent.
    
    Note: Red Hat Enterprise Virtualization Hypervisor is only available
    for the Intel 64 and AMD64 architectures with virtualization
    extensions.
    
    A flaw was found in the way Bash evaluated certain specially crafted
    environment variables. An attacker could use this flaw to override or
    bypass environment restrictions to execute shell commands. Certain
    services and applications allow remote unauthenticated attackers to
    provide environment variables, allowing them to exploit this issue.
    (CVE-2014-6271)
    
    It was found that the fix for CVE-2014-6271 was incomplete, and Bash
    still allowed certain characters to be injected into other
    environments via specially crafted environment variables. An attacker
    could potentially use this flaw to override or bypass environment
    restrictions to execute shell commands. Certain services and
    applications allow remote unauthenticated attackers to provide
    environment variables, allowing them to exploit this issue.
    (CVE-2014-7169)
    
    A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation
    One) input from certain RSA signatures. A remote attacker could use
    this flaw to forge RSA certificates by providing a specially crafted
    signature to an application using NSS. (CVE-2014-1568)
    
    It was discovered that the fixed-sized redir_stack could be forced to
    overflow in the Bash parser, resulting in memory corruption, and
    possibly leading to arbitrary code execution when evaluating untrusted
    input that would not otherwise be run as code. (CVE-2014-7186)
    
    An off-by-one error was discovered in the way Bash was handling deeply
    nested flow control constructs. Depending on the layout of the .bss
    segment, this could allow arbitrary execution of code that would not
    otherwise be executed by Bash. (CVE-2014-7187)
    
    Red Hat would like to thank Stephane Chazelas for reporting
    CVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568.
    Upstream acknowledges Antoine Delignat-Lavaud and Intel Product
    Security Incident Response Team as the original reporters of
    CVE-2014-1568. The CVE-2014-7186 and CVE-2014-7187 issues were
    discovered by Florian Weimer of Red Hat Product Security.
    
    Users of the Red Hat Enterprise Virtualization Hypervisor are advised
    to upgrade to this updated package."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2014:1354"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-1568"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-6271"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-7169"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-7186"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-7187"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected rhev-hypervisor6 package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/10/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/08");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2014:1354";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", reference:"rhev-hypervisor6-6.5-20140930.1.el6ev")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rhev-hypervisor6");
      }
    }
    
  • NASL familyCISCO
    NASL idCISCO_CUPS_CSCUR05454.NASL
    descriptionAccording to its self-reported version, the CUCM IM and Presence Service installed on the remote host contains a version of GNU Bash that is affected by a command injection vulnerability known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen2020-06-01
    modified2020-06-02
    plugin id79124
    published2014-11-11
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79124
    titleCUCM IM and Presence Service GNU Bash Environment Variable Handling Command Injection (CSCur05454) (Shellshock)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79124);
      script_version("1.14");
      script_cvs_date("Date: 2018/07/06 11:26:05");
    
      script_cve_id(
        "CVE-2014-6271",
        "CVE-2014-6277",
        "CVE-2014-6278",
        "CVE-2014-7169",
        "CVE-2014-7186",
        "CVE-2014-7187"
      );
      script_bugtraq_id(70103, 70137, 70152, 70154, 70165, 70166);
      script_xref(name:"CISCO-BUG-ID", value:"CSCur05454");
      script_xref(name:"IAVA", value:"2014-A-0142");
      script_xref(name:"CISCO-SA", value:"cisco-sa-20140926-bash");
      script_xref(name:"CERT", value:"252743");
      script_xref(name:"EDB-ID", value:"34765");
      script_xref(name:"EDB-ID", value:"34766");
      script_xref(name:"EDB-ID", value:"34777");
    
      script_name(english:"CUCM IM and Presence Service GNU Bash Environment Variable Handling Command Injection (CSCur05454) (Shellshock)");
      script_summary(english:"Checks the CUPS version.");
    
      script_set_attribute(attribute:"synopsis", value:"The remote host is missing a vendor-supplied security patch.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the CUCM IM and Presence
    Service installed on the remote host contains a version of GNU Bash
    that is affected by a command injection vulnerability known as
    Shellshock, which is due to the processing of trailing strings after
    function definitions in the values of environment variables. This
    allows a remote attacker to execute arbitrary code via environment
    variable manipulation depending on the configuration of the system.");
      script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCur05454");
      script_set_attribute(attribute:"see_also", value:"http://seclists.org/oss-sec/2014/q3/650");
      script_set_attribute(attribute:"see_also", value:"https://www.invisiblethreat.ca/post/shellshock/");
      script_set_attribute(attribute:"solution", value:"Upgrade to Cisco Unified Presence Server 10.5(1.12900.2) or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/10/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/11");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:unified_communications_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:unified_presence_server");
    
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CISCO");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl", "cisco_unified_detect.nasl");
      script_require_ports("Host/UCOS/Cisco Unified Presence/version", "cisco_cups/system_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Leverage API version first
    display_version = get_kb_item("cisco_cups/system_version");
    # Fall back to SSH
    if (isnull(display_version))
    {
      display_version = get_kb_item_or_exit('Host/UCOS/Cisco Unified Presence/version');
      match = eregmatch(string:display_version, pattern:'^([0-9.]+(?:-[0-9]+)?)($|[^0-9])');
      if (isnull(match)) audit(AUDIT_FN_FAIL, 'eregmatch');
      version = match[1];
    }
    else version = display_version;
    
    version = str_replace(string:version, find:"-", replace:".");
    fix = "10.5.1.12900.2";
    if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Installed version : ' + display_version +
          '\n  Fixed version     : 10.5.1.12900-2' +
          '\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, 'CUCM IM and Presence Service', display_version);
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2014-190.NASL
    descriptionIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169, CVE-2014-7186, CVE-2014-7187). Additionally bash has been updated from patch level 37 to 48 using the upstream patches at ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/ which resolves various bugs.
    last seen2020-06-01
    modified2020-06-02
    plugin id77950
    published2014-09-29
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/77950
    titleMandriva Linux Security Advisory : bash (MDVSA-2014:190)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2014:190. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(77950);
      script_version("1.11");
      script_cvs_date("Date: 2019/08/02 13:32:56");
    
      script_cve_id("CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187");
      script_bugtraq_id(70137);
      script_xref(name:"MDVSA", value:"2014:190");
      script_xref(name:"IAVA", value:"2014-A-0142");
    
      script_name(english:"Mandriva Linux Security Advisory : bash (MDVSA-2014:190)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was found that the fix for CVE-2014-6271 was incomplete, and Bash
    still allowed certain characters to be injected into other
    environments via specially crafted environment variables. An attacker
    could potentially use this flaw to override or bypass environment
    restrictions to execute shell commands. Certain services and
    applications allow remote unauthenticated attackers to provide
    environment variables, allowing them to exploit this issue
    (CVE-2014-7169, CVE-2014-7186, CVE-2014-7187).
    
    Additionally bash has been updated from patch level 37 to 48 using the
    upstream patches at ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/ which
    resolves various bugs."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2014:1306"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2014:1311"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected bash and / or bash-doc packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:bash");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:bash-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/09/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/29");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"bash-4.2-48.1.mbs1")) flag++;
    if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"bash-doc-4.2-48.1.mbs1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idMCAFEE_WEB_GATEWAY_SB10085.NASL
    descriptionThe remote host has a version of McAfee Web Gateway (MWG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen2020-06-01
    modified2020-06-02
    plugin id79215
    published2014-11-12
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79215
    titleMcAfee Web Gateway GNU Bash Code Injection (SB10085) (Shellshock)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79215);
      script_version("1.12");
      script_cvs_date("Date: 2018/07/14  1:59:37");
    
       script_cve_id(
        "CVE-2014-6271",
        "CVE-2014-6277",
        "CVE-2014-6278",
        "CVE-2014-7169",
        "CVE-2014-7186",
        "CVE-2014-7187"
      );
      script_bugtraq_id(70103, 70137, 70152, 70154, 70165, 70166);
      script_xref(name:"CERT", value:"252743");
      script_xref(name:"IAVA", value:"2014-A-0142");
      script_xref(name:"EDB-ID", value:"34765");
      script_xref(name:"EDB-ID", value:"34766");
      script_xref(name:"EDB-ID", value:"34777");
      script_xref(name:"MCAFEE-SB", value:"SB10085");
    
      script_name(english:"McAfee Web Gateway GNU Bash Code Injection (SB10085) (Shellshock)");
      script_summary(english:"Checks the version of McAfee Web Gateway.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by a code injection vulnerability known as
    Shellshock.");
      script_set_attribute(attribute:"description", value:
    "The remote host has a version of McAfee Web Gateway (MWG) installed
    that is affected by a command injection vulnerability in GNU Bash
    known as Shellshock. The vulnerability is due to the processing of
    trailing strings after function definitions in the values of
    environment variables. This allows a remote attacker to execute
    arbitrary code via environment variable manipulation depending on the
    configuration of the system.");
      script_set_attribute(attribute:"see_also", value:"https://kc.mcafee.com/corporate/index?page=content&id=SB10085");
      script_set_attribute(attribute:"see_also", value:"https://kc.mcafee.com/corporate/index?page=content&id=KB83022");
      script_set_attribute(attribute:"see_also", value:"http://seclists.org/oss-sec/2014/q3/650");
      script_set_attribute(attribute:"see_also", value:"https://www.invisiblethreat.ca/post/shellshock/");
      script_set_attribute(attribute:"solution", value:"Apply the relevant patch per the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/09/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/12");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:web_gateway");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("mcafee_web_gateway_detect.nbin");
      script_require_keys("Host/McAfee Web Gateway/Version", "Host/McAfee Web Gateway/Display Version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    app_name = "McAfee Web Gateway";
    version = get_kb_item_or_exit("Host/McAfee Web Gateway/Version");
    version_display = get_kb_item_or_exit("Host/McAfee Web Gateway/Display Version");
    
    fix = FALSE;
    
    if (
      version =~ "^6\." ||
      version =~ "^7\.[0-4]\."
    )
    {
      fix_display = "7.4.2.3 Build 18233 / 7.5.0";
      fix = "7.4.2.3.0.18233";
    }
    
    if (fix && ver_compare(ver:version, fix:fix, strict:FALSE) == -1)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Installed version : ' + version_display +
          '\n  Fixed version     : ' + fix_display +
          '\n';
          security_hole(extra:report, port:0);
      }
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, app_name, version_display);
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-564.NASL
    descriptionThe command-line shell
    last seen2020-06-05
    modified2014-09-29
    plugin id77967
    published2014-09-29
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77967
    titleopenSUSE Security Update : bash (openSUSE-SU-2014:1242-1) (Shellshock)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2014-564.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(77967);
      script_version("1.18");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187");
      script_xref(name:"IAVA", value:"2014-A-0142");
    
      script_name(english:"openSUSE Security Update : bash (openSUSE-SU-2014:1242-1) (Shellshock)");
      script_summary(english:"Check for the openSUSE-2014-564 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The command-line shell 'bash' evaluates environment variables, which
    allows the injection of characters and might be used to access files
    on the system in some circumstances (CVE-2014-7169).
    
    Please note that this issue is different from a previously fixed
    vulnerability tracked under CVE-2014-6271 and it is less serious due
    to the special, non-default system configuration that is needed to
    create an exploitable situation.
    
    To remove further exploitation potential we now limit the
    function-in-environment variable to variables prefixed with BASH_FUNC_
    . This hardening feature is work in progress and might be improved in
    later updates.
    
    Additionaly two more security issues were fixed in bash:
    CVE-2014-7186: Nested HERE documents could lead to a crash of bash.
    
    CVE-2014-7187: Nesting of for loops could lead to a crash of bash."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=898346"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=898603"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=898604"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2014-09/msg00052.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected bash packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-loadables");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:bash-loadables-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libreadline6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libreadline6-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libreadline6-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:readline-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:readline-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/09/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/29");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE13\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE13.1", reference:"bash-4.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"bash-debuginfo-4.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"bash-debugsource-4.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"bash-devel-4.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"bash-lang-4.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"bash-loadables-4.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"bash-loadables-debuginfo-4.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libreadline6-6.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"libreadline6-debuginfo-6.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", reference:"readline-devel-6.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"bash-debuginfo-32bit-4.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libreadline6-32bit-6.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"libreadline6-debuginfo-32bit-6.2-68.8.1") ) flag++;
    if ( rpm_check(release:"SUSE13.1", cpu:"x86_64", reference:"readline-devel-32bit-6.2-68.8.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bash");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2014-419.NASL
    descriptionGNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and this bulletin is a follow-up to ALAS-2014-418. It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash. Special notes : Because of the exceptional nature of this security event, we have backfilled our 2014.03, 2013.09, and 2013.03 Amazon Linux AMI repositories with new bash packages that also fix both CVE-2014-7169 and CVE-2014-6271 . For 2014.09 Amazon Linux AMIs,
    last seen2020-06-01
    modified2020-06-02
    plugin id78362
    published2014-10-12
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78362
    titleAmazon Linux AMI : bash (ALAS-2014-419)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2014-419.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(78362);
      script_version("1.8");
      script_cvs_date("Date: 2018/04/19 15:44:46");
    
      script_cve_id("CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187");
      script_xref(name:"ALAS", value:"2014-419");
      script_xref(name:"IAVA", value:"2014-A-0142");
    
      script_name(english:"Amazon Linux AMI : bash (ALAS-2014-419)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "GNU Bash through 4.3 bash43-025 processes trailing strings after
    certain malformed function definitions in the values of environment
    variables, which allows remote attackers to write to files or possibly
    have unknown other impact via a crafted environment, as demonstrated
    by vectors involving the ForceCommand feature in OpenSSH sshd, the
    mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts
    executed by unspecified DHCP clients, and other situations in which
    setting the environment occurs across a privilege boundary from Bash
    execution.
    
    NOTE: this vulnerability exists because of an incomplete fix for
    CVE-2014-6271 and this bulletin is a follow-up to ALAS-2014-418.
    
    It was discovered that the fixed-sized redir_stack could be forced to
    overflow in the Bash parser, resulting in memory corruption, and
    possibly leading to arbitrary code execution when evaluating untrusted
    input that would not otherwise be run as code.
    
    An off-by-one error was discovered in the way Bash was handling deeply
    nested flow control constructs. Depending on the layout of the .bss
    segment, this could allow arbitrary execution of code that would not
    otherwise be executed by Bash.
    
    Special notes :
    
    Because of the exceptional nature of this security event, we have
    backfilled our 2014.03, 2013.09, and 2013.03 Amazon Linux AMI
    repositories with new bash packages that also fix both CVE-2014-7169
    and CVE-2014-6271 .
    
    For 2014.09 Amazon Linux AMIs, 'bash-4.1.2-15.21.amzn1' addresses both
    CVEs. Running 'yum clean all' followed by 'yum update bash' will
    install the fixed package.
    
    For Amazon Linux AMIs 'locked' to the 2014.03 repositories,
    'bash-4.1.2-15.21.amzn1' also addresses both CVEs. Running 'yum clean
    all' followed by 'yum update bash' will install the fixed package.
    
    For Amazon Linux AMIs 'locked' to the 2013.09 or 2013.03 repositories,
    'bash-4.1.2-15.18.22.amzn1' addresses both CVEs. Running 'yum clean
    all' followed by 'yum update bash' will install the fixed package.
    
    For Amazon Linux AMIs 'locked' to the 2012.09, 2012.03, or 2011.09
    repositories, run 'yum clean all' followed by 'yum
    --releasever=2013.03 update bash' to install only the updated bash
    package.
    
    If you are using a pre-2011.09 Amazon Linux AMI, then you are using a
    version of the Amazon Linux AMI that was part of our public beta, and
    we encourage you to move to a newer version of the Amazon Linux AMI as
    soon as possible."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://aws.amazon.com/amazon-linux-ami/faqs/#lock"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2014-418.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2014-419.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Run 'yum update bash' to update your system. Note that you may need to
    run 'yum clean all' first."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:bash");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:bash-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:bash-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/09/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/12");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"bash-4.1.2-15.21.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"bash-debuginfo-4.1.2-15.21.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"bash-doc-4.1.2-15.21.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bash / bash-debuginfo / bash-doc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1311.NASL
    description[Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update. No changes have been made to the original packages. Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use
    last seen2020-06-01
    modified2020-06-02
    plugin id79052
    published2014-11-08
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79052
    titleRHEL 4 / 5 / 6 : bash (RHSA-2014:1311)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2014:1311. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79052);
      script_version("1.24");
      script_cvs_date("Date: 2019/10/24 15:35:38");
    
      script_cve_id("CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187");
      script_bugtraq_id(70137, 70152, 70154);
      script_xref(name:"RHSA", value:"2014:1311");
    
      script_name(english:"RHEL 4 / 5 / 6 : bash (RHSA-2014:1311)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "[Updated September 30, 2014] This advisory has been updated with
    information on restarting system services after applying this update.
    No changes have been made to the original packages.
    
    Updated bash packages that fix one security issue are now available
    for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat
    Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended
    Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support,
    and Red Hat Enterprise Linux 6.4 Extended Update Support.
    
    Red Hat Product Security has rated this update as having Important
    security impact. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available from the
    CVE link in the References section.
    
    The GNU Bourne Again shell (Bash) is a shell and command language
    interpreter compatible with the Bourne shell (sh). Bash is the default
    shell for Red Hat Enterprise Linux.
    
    It was found that the fix for CVE-2014-6271 was incomplete, and Bash
    still allowed certain characters to be injected into other
    environments via specially crafted environment variables. An attacker
    could potentially use this flaw to override or bypass environment
    restrictions to execute shell commands. Certain services and
    applications allow remote unauthenticated attackers to provide
    environment variables, allowing them to exploit this issue.
    (CVE-2014-7169)
    
    Applications which directly create bash functions as environment
    variables need to be made aware of changes to the way names are
    handled by this update. Note that certain services, screen sessions,
    and tmux sessions may need to be restarted, and affected interactive
    users may need to re-login. Installing these updated packages without
    restarting services will address the vulnerability, but functionality
    may be impacted until affected services are restarted. For more
    information see the Knowledgebase article at
    https://access.redhat.com/articles/1200223
    
    Note: Docker users are advised to use 'yum update' within their
    containers, and to commit the resulting changes.
    
    For additional information on CVE-2014-6271 and CVE-2014-7169, refer
    to the aforementioned Knowledgebase article.
    
    All bash users are advised to upgrade to these updated packages, which
    contain a backported patch to correct this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/1200223"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2014:1311"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-7169"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-7186"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2014-7187"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected bash, bash-debuginfo and / or bash-doc packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bash");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bash-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bash-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.9");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/09/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(4|5\.6|5\.9|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x / 5.6 / 5.9 / 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2014:1311";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {  sp = get_kb_item("Host/RedHat/minor_release");
      if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    
      flag = 0;
      if (rpm_check(release:"RHEL4", cpu:"i386", reference:"bash-3.0-27.el4.4")) flag++;
    
      if (rpm_check(release:"RHEL4", cpu:"x86_64", reference:"bash-3.0-27.el4.4")) flag++;
    
    
      if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"bash-3.2-24.el5_6.2")) flag++;
      if (rpm_check(release:"RHEL5", sp:"9", cpu:"i386", reference:"bash-3.2-32.el5_9.3")) flag++;
    
      if (rpm_check(release:"RHEL5", sp:"9", cpu:"s390x", reference:"bash-3.2-32.el5_9.3")) flag++;
    
      if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"bash-3.2-24.el5_6.2")) flag++;
      if (rpm_check(release:"RHEL5", sp:"9", cpu:"x86_64", reference:"bash-3.2-32.el5_9.3")) flag++;
    
      if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"bash-debuginfo-3.2-24.el5_6.2")) flag++;
      if (rpm_check(release:"RHEL5", sp:"9", cpu:"i386", reference:"bash-debuginfo-3.2-32.el5_9.3")) flag++;
    
      if (rpm_check(release:"RHEL5", sp:"9", cpu:"s390x", reference:"bash-debuginfo-3.2-32.el5_9.3")) flag++;
    
      if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"bash-debuginfo-3.2-24.el5_6.2")) flag++;
      if (rpm_check(release:"RHEL5", sp:"9", cpu:"x86_64", reference:"bash-debuginfo-3.2-32.el5_9.3")) flag++;
    
    
      if (rpm_check(release:"RHEL6", sp:"4", cpu:"i686", reference:"bash-4.1.2-15.el6_4.2")) flag++;
    
      if (rpm_check(release:"RHEL6", sp:"4", cpu:"s390x", reference:"bash-4.1.2-15.el6_4.2")) flag++;
    
    if (sp == "2") {   if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"bash-4.1.2-9.el6_2.2")) flag++; }
      else { if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"bash-4.1.2-15.el6_4.2")) flag++; }
    
      if (rpm_check(release:"RHEL6", sp:"4", cpu:"i686", reference:"bash-debuginfo-4.1.2-15.el6_4.2")) flag++;
    
      if (rpm_check(release:"RHEL6", sp:"4", cpu:"s390x", reference:"bash-debuginfo-4.1.2-15.el6_4.2")) flag++;
    
    if (sp == "2") {   if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"bash-debuginfo-4.1.2-9.el6_2.2")) flag++; }
      else { if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"bash-debuginfo-4.1.2-15.el6_4.2")) flag++; }
    
      if (rpm_check(release:"RHEL6", sp:"4", cpu:"i686", reference:"bash-doc-4.1.2-15.el6_4.2")) flag++;
    
      if (rpm_check(release:"RHEL6", sp:"4", cpu:"s390x", reference:"bash-doc-4.1.2-15.el6_4.2")) flag++;
    
      if (rpm_check(release:"RHEL6", sp:"4", cpu:"x86_64", reference:"bash-doc-4.1.2-15.el6_4.2")) flag++;
      if (rpm_check(release:"RHEL6", sp:"2", cpu:"x86_64", reference:"bash-doc-4.1.2-9.el6_2.2")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bash / bash-debuginfo / bash-doc");
      }
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_81E2B3084A6C11E4B7116805CA0B3D42.NASL
    descriptionBest Practical reports : RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as
    last seen2020-04-18
    modified2014-10-03
    plugin id78039
    published2014-10-03
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78039
    titleFreeBSD : rt42 -- vulnerabilities related to shellshock (81e2b308-4a6c-11e4-b711-6805ca0b3d42)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2014-1306.NASL
    descriptionUpdated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use
    last seen2020-06-01
    modified2020-06-02
    plugin id77879
    published2014-09-26
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77879
    titleCentOS 5 / 6 / 7 : bash (CESA-2014:1306)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_11.NASL
    descriptionThe remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id86270
    published2015-10-05
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86270
    titleMac OS X < 10.11 Multiple Vulnerabilities (GHOST)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-567.NASL
    descriptionThis patch was withdrawn by the openSUSE team, as the software was fixed prior to release. No replacement patches/plugins exist. bash was updated to fix command injection via environment variables. (CVE-2014-6271,CVE-2014-7169) Also a hardening patch was applied that only imports functions over BASH_FUNC_ prefixed environment variables. Also fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE documents and for loop issue
    last seen2019-02-21
    modified2019-02-12
    plugin id78115
    published2014-10-10
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=78115
    titleopenSUSE Security Update : bash (openSUSE-SU-2014:1254-1) (deprecated)
  • NASL familyMisc.
    NASL idIBM_STORWIZE_1_5_0_4.NASL
    descriptionThe remote IBM Storwize V7000 Unified device is running version 1.3.x prior to 1.4.3.5 or 1.5.x prior to 1.5.0.4. It is, therefore, affected by the following vulnerabilities : - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271) - An out-of-bounds memory access error exists in GNU Bash in file parse.y due to evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this, via a crafted
    last seen2020-06-01
    modified2020-06-02
    plugin id85630
    published2015-08-25
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85630
    titleIBM Storwize V7000 Unified 1.3.x < 1.4.3.5 / 1.5.x < 1.5.0.4 Multiple Vulnerabilities (Shellshock)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS11_BASH_2014_10_07.NASL
    descriptionThe remote Solaris system is missing necessary patches to address critical security updates related to
    last seen2020-06-01
    modified2020-06-02
    plugin id78395
    published2014-10-13
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78395
    titleOracle third party patch update : bash_2014_10_07
  • NASL familyCGI abuses
    NASL idCISCO-SA-CSCUR01959-PRSM.NASL
    descriptionAccording to its self-reported version number, the version of Cisco Prime Security Manager installed on the remote host is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen2020-06-01
    modified2020-06-02
    plugin id78828
    published2014-11-03
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78828
    titleCisco Prime Security Manager GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_SPACE_JSA10648.NASL
    descriptionAccording to its self-reported version number, the remote Junos Space version is prior to 14.1R2, and may be affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen2020-06-01
    modified2020-06-02
    plugin id80196
    published2014-12-22
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80196
    titleJuniper Junos Space GNU Bash Command Injection Vulnerability (JSA10648) (Shellshock)
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2014-0010_REMOTE.NASL
    descriptionThe remote VMware ESX host is affected by multiple vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278) - A out-of-bounds read error exists in the redirection implementation in file parse.y when evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this to cause a denial of service or possibly have other unspecified impact. (CVE-2014-7186) - An off-by-one overflow condition exists in the read_token_word() function in file parse.y when handling deeply nested flow control structures. A remote attacker can exploit this, by using deeply nested for-loops, to cause a denial of service or possibly execute arbitrary code. (CVE-2014-7187)
    last seen2020-06-01
    modified2020-06-02
    plugin id87680
    published2015-12-30
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/87680
    titleVMware ESX Multiple Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL familyCISCO
    NASL idCISCO_TELEPRESENCE_VCS_CSCUR01461.NASL
    descriptionAccording to its self-reported version number, the version of Cisco TelePresence Video Communication Server is affected by a command injection vulnerability known as Shellshock in its included GNU Bash shell. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. The API over HTTP(S) and/or SSH can therefore be exploited. An attacker must be authenticated before the system is exposed to this exploit.
    last seen2020-06-01
    modified2020-06-02
    plugin id78596
    published2014-10-21
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78596
    titleCisco TelePresence Video Communication Server Bash Remote Code Execution (Shellshock)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2014-0010.NASL
    descriptiona. Bash update for multiple products. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 to these issues. VMware products have been grouped into the following four product categories : I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. ESX has an affected version of the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. For several products, both a patch and a product update are available. In general, if a patch is made available, the patch must be applied to the latest version of the appliance. Customers should refer to the specific product Knowledge Base articles listed in Section 4 to understand the type of remediation available and applicable appliance version numbers. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor =================================
    last seen2020-06-01
    modified2020-06-02
    plugin id78025
    published2014-10-02
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78025
    titleVMSA-2014-0010 : VMware product updates address critical Bash security vulnerabilities (Shellshock)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-164.NASL
    descriptionUpdated bash packages fix security vulnerability : A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-6271). This vulnerability can be exposed and exploited through several other pieces of software and should be considered highly critical. Please refer to the RedHat Knowledge Base article and blog post for more information. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169). Bash has been updated to version 4.2 patch level 50, which further mitigates ShellShock-type vulnerabilities. Two such issues have already been discovered (CVE-2014-6277, CVE-2014-6278). See the RedHat article on the backward-incompatible changes introduced by the latest patch, caused by adding prefixes and suffixes to the variable names used for exporting functions. Note that the RedHat article mentions these variable names will have parentheses
    last seen2020-06-01
    modified2020-06-02
    plugin id82417
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82417
    titleMandriva Linux Security Advisory : bash (MDVSA-2015:164)
  • NASL familyWindows
    NASL idVMWARE_VCENTER_CONVERTER_2014-0010.NASL
    descriptionThe version of VMware vCenter Converter installed on the remote Windows host is 5.1.x prior to 5.1.2 or 5.5.x prior to 5.5.3. It is, therefore, affected by the following vulnerabilities : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. While this host is not directly impacted by Shellshock, the standalone Converter application does deploy a Helper VM during Linux P2V conversions. This Helper VM contains a vulnerable version of Bash. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) - A memory double-free error exists in
    last seen2020-06-01
    modified2020-06-02
    plugin id79147
    published2014-11-12
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79147
    titleVMware vCenter Converter 5.1.x < 5.1.2 / 5.5.x < 5.5.3 Multiple Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL familyMisc.
    NASL idMCAFEE_EMAIL_GATEWAY_SB10085.NASL
    descriptionThe remote host has a version of McAfee Email Gateway (MEG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen2020-06-01
    modified2020-06-02
    plugin id79123
    published2014-11-11
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79123
    titleMcAfee Email Gateway GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS11_BASH_20141031_2.NASL
    descriptionThe remote Solaris system is missing necessary patches to address security updates : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka
    last seen2020-06-01
    modified2020-06-02
    plugin id88514
    published2016-02-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88514
    titleOracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash1) (Shellshock)
  • NASL familyMisc.
    NASL idVCENTER_OPERATIONS_MANAGER_VMSA_2014-0010.NASL
    descriptionThe version of VMware vCenter Operations Manager installed on the remote host is prior to 5.7.3 / 5.8.3. It is, therefore, affected by the environmental variable command injection vulnerability known as
    last seen2020-06-01
    modified2020-06-02
    plugin id78889
    published2014-11-06
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78889
    titleVMware vCenter Operations Management Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-1306.NASL
    descriptionFrom Red Hat Security Advisory 2014:1306 : [Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update. No changes have been made to the original packages. Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use
    last seen2020-06-01
    modified2020-06-02
    plugin id77951
    published2014-09-29
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77951
    titleOracle Linux 5 / 6 / 7 : bash (ELSA-2014-1306)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_10_2.NASL
    descriptionThe remote host is running a version of Mac OS X 10.10.x that is prior to version 10.10.2. This update contains several security-related fixes for the following components : - bash - Bluetooth - CFNetwork Cache - CommerceKit Framework - CoreGraphics - CoreSymbolication - CPU Software - FontParser - Foundation - Intel Graphics Driver - IOAcceleratorFamily - IOHIDFamily - IOKit - IOUSBFamily - Kernel - LaunchServices - libnetcore - LoginWindow - lukemftp - OpenSSL - Safari - SceneKit - Security - security_taskgate - Spotlight - SpotlightIndex - sysmond - UserAccountUpdater Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id81087
    published2015-01-29
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81087
    titleMac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-563.NASL
    descriptionThe command-line shell
    last seen2020-06-05
    modified2014-09-29
    plugin id77966
    published2014-09-29
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77966
    titleopenSUSE Security Update : bash (openSUSE-SU-2014:1229-1) (Shellshock)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL15629.NASL
    descriptionGNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id78197
    published2014-10-10
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78197
    titleF5 Networks BIG-IP : Multiple GNU Bash vulnerabilities (SOL15629) (Shellshock)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1306.NASL
    description[Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update. No changes have been made to the original packages. Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) Applications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223 Note: Docker users are advised to use
    last seen2020-06-01
    modified2020-06-02
    plugin id77895
    published2014-09-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77895
    titleRHEL 5 / 6 / 7 : bash (RHSA-2014:1306)
  • NASL familyMisc.
    NASL idVMWARE_NSX_VMSA_2014_0010.NASL
    descriptionThe version of VMware NSX installed on the remote host is 4.x prior to 4.0.5 / 4.1.4 / 4.2.1 or 6.x prior to 6.0.7 / 6.1.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen2020-06-01
    modified2020-06-02
    plugin id78826
    published2014-11-03
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78826
    titleVMware NSX Bash Environment Variable Command Injection (VMSA-2014-0010) (Shellshock)
  • NASL familyMisc.
    NASL idVMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2014-0010.NASL
    descriptionThe version of VMware vCenter Server Appliance installed on the remote host is 5.0 prior to Update 3b, 5.1 prior to Update 2b, or 5.5 prior to Update 2a. It therefore contains a version of bash that is affected by a command injection vulnerability via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id78508
    published2014-10-16
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78508
    titleVMware vCenter Server Appliance Bash Remote Code Execution (VMSA-2014-0010) (Shellshock)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_BASH-140926.NASL
    descriptionThe command-line shell
    last seen2020-06-05
    modified2014-09-29
    plugin id77958
    published2014-09-29
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/77958
    titleSuSE 11.3 Security Update : bash (SAT Patch Number 9780)
  • NASL familyCISCO
    NASL idCISCO_TELEPRESENCE_CONDUCTOR_CSCUR02103.NASL
    descriptionAccording to its self-reported version number, remote Cisco TelePresence Conductor device is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. Note that an attacker must be authenticated before the device is exposed to this exploit.
    last seen2020-06-01
    modified2020-06-02
    plugin id79584
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79584
    titleCisco TelePresence Conductor Bash Remote Code Execution (Shellshock)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_4A4E9F88491C11E4AE2CC80AA9043978.NASL
    descriptionRedHat security team reports : It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.
    last seen2020-06-01
    modified2020-06-02
    plugin id78002
    published2014-10-01
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78002
    titleFreeBSD : bash -- out-of-bounds memory access in parser (4a4e9f88-491c-11e4-ae2c-c80aa9043978)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1418.NASL
    descriptionAccording to the versions of the bash package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.(CVE-2014-7169) - A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session.(CVE-2016-9401) - It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code.(CVE-2014-7186) - An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.(CVE-2014-7187) - A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.(CVE-2014-6271) - An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances.(CVE-2016-7543) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-16
    modified2019-05-14
    plugin id124921
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124921
    titleEulerOS Virtualization 3.0.1.0 : bash (EulerOS-SA-2019-1418)
  • NASL familyCISCO
    NASL idCISCO-SA-CSCUR01959-ASA-CX.NASL
    descriptionThe remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen2020-06-01
    modified2020-06-02
    plugin id78827
    published2014-11-03
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78827
    titleCisco ASA Next-Generation Firewall GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201410-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201410-01 (Bash: Multiple vulnerabilities) Florian Weimer, Todd Sabin, Michal Zalewski et al. discovered further parsing flaws in Bash. The unaffected Gentoo packages listed in this GLSA contain the official patches to fix the issues tracked as CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Furthermore, the official patch known as &ldquo;function prefix patch&rdquo; is included which prevents the exploitation of CVE-2014-6278. Impact : A remote attacker could exploit these vulnerabilities to execute arbitrary commands or cause a Denial of Service condition via various vectors. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id78060
    published2014-10-06
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78060
    titleGLSA-201410-01 : Bash: Multiple vulnerabilities (Shellshock)
  • NASL familyMisc.
    NASL idVMWARE_VSPHERE_REPLICATION_VMSA_2014_0010.NASL
    descriptionThe VMware vSphere Replication installed on the remote host is version 5.1.x prior to 5.1.2.2, 5.5.x prior to 5.5.1.3, 5.6.x prior to 5.6.0.2, or 5.8.x prior to 5.8.0.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system
    last seen2020-06-01
    modified2020-06-02
    plugin id78771
    published2014-10-31
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78771
    titleVMware vSphere Replication Bash Environment Variable Command Injection Vulnerability (VMSA-2014-0010) (Shellshock)
  • NASL familyMisc.
    NASL idMCAFEE_NGFW_SB10085.NASL
    descriptionThe remote host has a version of McAfee Next Generation Firewall (NGFW) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.
    last seen2020-06-01
    modified2020-06-02
    plugin id79234
    published2014-11-13
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79234
    titleMcAfee Next Generation Firewall GNU Bash Code Injection (SB10085) (Shellshock)
  • NASL familyMisc.
    NASL idVMWARE_WORKSPACE_PORTAL_VMSA2014-0010.NASL
    descriptionThe version of VMware Workspace Portal (formerly known as VMware Horizon Workspace) installed on the remote host is missing package updates. It is, therefore, affected by the following vulnerabilities in the Bash shell : - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. By sending a specially crafted request to a CGI script that passes environment variables, a remote, unauthenticated attacker can execute arbitrary code on the host. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169) - An out-of-bounds memory access error exists due to improper redirection implementation in the
    last seen2020-06-01
    modified2020-06-02
    plugin id78857
    published2014-11-04
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78857
    titleVMware Workspace Portal Multiple Bash Shell Vulnerabilities (VMSA-2014-0010) (Shellshock)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2364-1.NASL
    descriptionFlorian Weimer and Todd Sabin discovered that the Bash parser incorrectly handled memory. An attacker could possibly use this issue to bypass certain environment restrictions and execute arbitrary code. (CVE-2014-7186, CVE-2014-7187) In addition, this update introduces a hardening measure which adds prefixes and suffixes around environment variable names which contain shell functions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id77961
    published2014-09-29
    reporterUbuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77961
    titleUbuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : bash vulnerabilities (USN-2364-1)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS11_BASH_20141031.NASL
    descriptionThe remote Solaris system is missing necessary patches to address security updates : - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka
    last seen2020-06-01
    modified2020-06-02
    plugin id80590
    published2015-01-19
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80590
    titleOracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash) (Shellshock)

Packetstorm

Redhat

advisories
  • rhsa
    idRHSA-2014:1311
  • rhsa
    idRHSA-2014:1312
  • rhsa
    idRHSA-2014:1354
rpms
  • bash-0:3.2-33.el5_11.4
  • bash-0:4.1.2-15.el6_5.2
  • bash-0:4.2.45-5.el7_0.4
  • bash-debuginfo-0:3.2-33.el5_11.4
  • bash-debuginfo-0:4.1.2-15.el6_5.2
  • bash-debuginfo-0:4.2.45-5.el7_0.4
  • bash-doc-0:4.1.2-15.el6_5.2
  • bash-doc-0:4.2.45-5.el7_0.4
  • bash-0:3.0-27.el4.4
  • bash-0:3.2-24.el5_6.2
  • bash-0:3.2-32.el5_9.3
  • bash-0:4.1.2-15.el6_4.2
  • bash-0:4.1.2-9.el6_2.2
  • bash-debuginfo-0:3.0-27.el4.4
  • bash-debuginfo-0:3.2-24.el5_6.2
  • bash-debuginfo-0:3.2-32.el5_9.3
  • bash-debuginfo-0:4.1.2-15.el6_4.2
  • bash-debuginfo-0:4.1.2-9.el6_2.2
  • bash-doc-0:4.1.2-15.el6_4.2
  • bash-doc-0:4.1.2-9.el6_2.2
  • bash-0:3.2-33.el5_11.1.sjis.2
  • bash-0:4.1.2-15.el6_5.1.sjis.2
  • bash-debuginfo-0:3.2-33.el5_11.1.sjis.2
  • bash-debuginfo-0:4.1.2-15.el6_5.1.sjis.2
  • bash-doc-0:4.1.2-15.el6_5.1.sjis.2
  • rhev-hypervisor6-0:6.5-20140930.1.el6ev
  • bash-0:3.2-32.el5_9.3.sjis.1
  • bash-debuginfo-0:3.2-32.el5_9.3.sjis.1

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:87313
    last seen2017-11-19
    modified2014-10-10
    published2014-10-10
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-87313
    titleGNU bash 4.3.11 Environment Variable dhclient Exploit
  • bulletinFamilyexploit
    description<h1>1. 更新情况</h1><table><colgroup><col width="NaN%"><col width="NaN%"><col width="NaN%"></colgroup><tbody><tr><td>版本</td><td>时间</td><td>描述</td></tr><tr><td>第一版</td><td>2014/9/26 中午</td><td>第一版完成。</td></tr><tr><td>第二版</td><td>2014/9/26 下午</td><td>1. 新增:加速乐防御平台的攻击统计细节;<br>2. 完善:修复建议;</td></tr><tr><td>第三版</td><td>2014/9/27 下午</td><td>1. 破壳漏洞官网出现:shellshocker.net<br>2. 更新:漏洞概要;<br>3. 新增:补丁绕过后(CVE-2014-7169)的漏洞源码级分析;<br>4. 新增:ZoomEye第四组数据:QNAP NAS漏洞情况;<br>5. 新增:ZoomEye第五组数据:CheckPoint安全网关漏洞情况;<br>6. 完善:修复建议;<br>7. 新增:相关资源链接;</td></tr><tr><td>第四版</td><td>2014/10/14 晚</td><td>1. 更新:漏洞概要,添加更多漏洞说明;<br>2. 新增:ZoomEye第六组数据:Mirapoint邮件服务器漏洞情况;<br>3. 新增:ZoomEye第七组数据:AVAYA IP电话漏洞情况;<br>4. 更新:ZoomEye各组数据;<br>5. 完善:其他结论;</td></tr></tbody></table><h1>2. 漏洞概要</h1><p>2014年9月24日,Bash惊爆严重安全漏洞,编号为CVE-2014-6271,该漏洞将导致远程攻击者在受影响的系统上执行任意代码。</p><p>GNU Bash是一个为GNU计划编写的Unix Shell,广泛使用在Linux系统内,最初的功能仅是一个简单的基于终端的命令解释器。</p><p><strong>2.1. 漏洞描述</strong></p><p>GNU Bash 4.3及之前版本在评估某些构造的环境变量时存在安全漏洞,向环境变量值内的函数定义后添加多余的字符串会触发此漏洞,攻击者可利用此漏洞改变或绕过环境限制,以执行Shell命令。某些服务和应用允许未经身份验证的远程攻击者提供环境变量以利用此漏洞。此漏洞源于在调用Bash Shell之前可以用构造的值创建环境变量。这些变量可以包含代码,在Shell被调用后会被立即执行。</p><p>以下几点值得特别注意:</p><ul><li>这个漏洞的英文是:ShellShock,中文名被XCERT命名为:破壳漏洞。</li><li>来自CVSS的评分:破壳漏洞的严重性被定义为10级(最高),今年4月爆发的OpenSSL“心脏出血”漏洞才5级!</li><li>破壳漏洞存在有25年,和Bash年龄一样。</li></ul><p><strong>2.2. 漏洞影响</strong></p><p>GNU Bash &lt;= 4.3,此漏洞可能会影响到:</p><p><b>注:以下几点参考自:</b></p><p><b><a href="https://raw.githubusercontent.com/citypw/DNFWAH/master/4/d4_0x07_DNFWAH_shellshock_bash_story_cve-2014-6271.txt">https://raw.githubusercontent.com/citypw/DNFWAH/master/4/d4_0x07_DNFWAH_shellshock_bash_story_cve-2014-6271.txt</a></b><b>,且结论经过我们验证有效。</b></p><ul><li>在SSHD配置中使用了ForceCommand用以限制远程用户执行命令,这个漏洞可以绕过限制去执行任何命令。一些Git和Subversion部署环境的限制Shell也会出现类似情况,OpenSSH通常用法没有问题。</li><li>Apache服务器使用mod_cgi或者mod_cgid,如果CGI脚本在BASH或者运行在子Shell里都会受影响。子Shell中使用C的system/popen,Python中使用os.system/os.popen,PHP中使用system/exec(CGI模式)和Perl中使用open/system的情况都会受此漏洞影响。</li><li>PHP脚本执行在mod_php不会受影响。</li><li>DHCP客户端调用Shell脚本接收远程恶意服务器的环境变量参数值的情况会被此漏洞利用。</li><li>守护进程和SUID程序在环境变量设置的环境下执行Shell脚本也可能受到影响。</li><li>任何其他程序执行Shell脚本时用Bash作为解释器都可能受影响。Shell脚本不导出的情况下不会受影响。</li></ul><p><strong>2.3. 漏洞验证</strong></p><p>可以使用如下命令来检查系统是否存在此漏洞(在本机Bash环境下运行):</p><p><b>破壳</b><b>1</b><b>,</b><b>CVE-2014-6271</b><b>,测试方法:</b></p><p>env x='() { :;}; echo vulnerable' bash -c "echo this is a test"</p><p>如执行结果如下表明有漏洞:</p><p>vulnerablethis is a test</p><p><b>注:</b><b>CVE-2014-6271</b><b>的漏洞源码级分析请参考:</b></p><p><b><a href="http://blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-analysis/">http://blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-analysis/</a></b></p><p>破壳1被修补后,又被绕过,出现了破壳2。</p><p><b>破壳</b><b>2</b><b>,</b><b>CVE-2014-7169</b><b>,测试方法:</b></p><p>env -i&nbsp; X='() { (a)=&gt;\' bash -c 'echo date'; cat echo</p><p>如执行结果如下则仍然存在漏洞:</p><p>bash: X: line 1: syntax error near unexpected token&nbsp;='bash: X: line 1:&nbsp;'bash: error importing function definition for `X'Wed Sep 24 14:12:49 PDT 2014</p><p><b>注:</b><b>CVE-2014-7169</b><b>的漏洞源码级分析请参考:</b></p><p><b><a href="http://blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-patch-bypass-analysis/">http://blog.knownsec.com/2014/09/bash_3-0-4-3-command-exec-patch-bypass-analysis/</a></b></p><p>&nbsp;</p><p>除了这两个最受关注的破壳CVE外,在shellshocket.net上还看到了其他几个,相比之下影响会小很多,这里也简单说明下:</p><p><b>破壳</b><b>3</b><b>,</b><b>CVE</b><b>未知,测试方法:</b></p><p>env X=' () { }; echo vulnerable' bash -c 'date'</p><p>如果上面命令输出“vulnerable”,就意味着有漏洞。</p><p>这个和破壳1很像,没CVE,不做评价。</p><p><b>破壳</b><b>4</b><b>,</b><b>CVE-2014-7186</b><b>,测试方法:</b></p><p>bash -c 'true &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF &lt;&lt;EOF' ||echo "CVE-2014-7186 vulnerable, redir_stack"</p><p>如果上面命令输出“CVE-2014-7186 vulnerable, redir_stack”,就意味着有漏洞。</p><p><b>破壳</b><b>5</b><b>,</b><b>CVE-2014-7187</b><b>,测试方法:</b></p><p>(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||echo "CVE-2014-7187 vulnerable, word_lineno"</p><p>如果上面命令输出“CVE-2014-7187 vulnerable, word_lineno”,就意味着有漏洞。</p><p><b>破壳</b><b>6</b><b>,</b><b>CVE-2014-6278</b><b>,测试方法:</b></p><p>shellshocker='() { echo vulnerable; }' bash -c shellshocker</p><p>如果上面命令输出“vulnerable”,就意味着有漏洞,否则会提示shellshocker未找到命令。</p><p>这个更像bash特性,居然当成了漏洞。</p><p><b>破壳</b><b>7</b><b>,</b><b>CVE-2014-6277</b><b>,测试方法:</b></p><p>bash -c "f() { x() { _;}; x() { _;} &lt;&lt;a; }" 2&gt;/dev/null || echo vulnerable</p><p>如果上面命令输出“vulnerable”,就意味着有漏洞。</p><p>前两个破壳漏洞(尤其是第一个:CVE-2014-6271),影响面很直接很广,备受关注。之后的破壳漏洞在实际的测试过程中,发现比较鸡肋,但这说明一个很严重的问题:存在25年的Bash,并未经历真正的安全考验,这些全球流行的开源组件,恐怕都会存在这类安全问题。</p><h1>3. ZoomEye应急概要</h1><p>这个破壳漏洞确实是一个危害极大的漏洞,胜于今年4月8号爆发的“心脏出血”,但破壳漏洞的探测方式很复杂,不同的组件测试方式有所区别,很难评估一个影响面,但是可以肯定的是Bash&lt;=4.3版本都受影响,而Bash在至少百亿级别数量的设备上使用,因为Bash是最流行的Linux Shell。</p><p>来自知道创宇的ZoomEye团队(钟馗之眼网络空间探知系统)通过几种方式的组合检测,得到了些影响结论。</p><p><b>注意:以下这些影响都是可被直接远程攻击的,属于高危级别!</b></p><p><strong>3.1. 第一组数据</strong></p><p><b>2014/9/26</b></p><p>我们发现深信服的应用交付管理系统存在破壳漏洞,经过ZoomEye的特殊探测,大陆地区范围内有<b>13254</b>台设备受到破壳漏洞影响,可被直接远程攻击。</p><p>利用破壳漏洞,可以直接拿到服务器root权限:</p><p><img alt="图片1" src="http://blog.knownsec.com/wp-content/uploads/2014/10/%E5%9B%BE%E7%89%871.png" width="1035" height="36"></p><p><b>2014/10/6</b></p><p>再次对这<b>13254</b>台漏洞设备进行验证,发现还有<b>908</b>台未修补,修补率是<b>93.1%</b>。</p><p><b>2014/10/14</b></p><p>第三次进行验证,发现还是<b>908</b>台未修补,看来这些设备被遗忘了?</p><p><strong>3.2. 第二组数据</strong></p><p><b>2014/9/26</b></p><p>经过ZoomEye的Fuzzing探测,Fuzzing列表如下:</p><p><br>/cgi-bin/load.cgi<br>/cgi-bin/gsweb.cgi<br>/cgi-bin/redirector.cgi<br>/cgi-bin/test.cgi<br>/cgi-bin/index.cgi<br>/cgi-bin/help.cgi<br>/cgi-bin/about.cgi<br>/cgi-bin/vidredirect.cgi<br>/cgi-bin/click.cgi<br>/cgi-bin/details.cgi<br>/cgi-bin/log.cgi<br>/cgi-bin/viewcontent.cgi<br>/cgi-bin/content.cgi<br>/cgi-bin/admin.cgi<br>/cgi-bin/webmail.cgi<br></p><p>全球大概存在<b>142000</b>主机受影响,需要注意的是由于Fuzzing规则不完备,得到的数量肯定会不完备,但这个数字至少可以看到可被直接远程攻击利用的面很大。</p><p><strong>3.3. 第三组数据</strong></p><p><b>2014/9/26</b></p><p>我们看到masscan的官方发布了消息:</p><p><a href="http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html">http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html</a></p><p>他们全球探测的结论是:至少<b>150</b><b>万</b>受影响,而这验证规则很简单,仅对主机的80端口进行直接请求,这个结论我们也在验证。</p><p><strong>3.4. 第四组数据</strong></p><p><b>2014/9/26</b></p><p><b>2014/10/6</b></p><p>我们发现QNAP公司的NAS存储设备存在破壳漏洞,ZoomEye针对QNAP &nbsp;NAS的8080端口进行大规模探测,目前的进度如下:</p><table><colgroup><col width="NaN%"><col width="NaN%"><col width="NaN%"><col width="NaN%"></colgroup><tbody><tr><td>国家/地区</td><td>9/26 受影响数量(台)</td><td>10/6 受影响数量(台)</td><td>修复率</td></tr><tr><td>大陆</td><td><b>1010</b></td><td>421</td><td>58.3%</td></tr><tr><td>台湾</td><td><b>4579</b></td><td>2020</td><td>55.9%</td></tr><tr><td>美国</td><td><b>4633</b></td><td>2363</td><td>49.0%</td></tr><tr><td>香港</td><td><b>2492</b></td><td>1284</td><td>48.5%</td></tr><tr><td>日本</td><td><b>5158</b></td><td>2708</td><td>47.5%</td></tr><tr><td>韩国</td><td><b>2130</b></td><td>1463</td><td>31.3%</td></tr></tbody></table><p>利用破壳漏洞,可以拿下QNAP NAS的admin权限(<b>最高</b>):</p><p><img alt="图片2" src="http://blog.knownsec.com/wp-content/uploads/2014/10/%E5%9B%BE%E7%89%872.png" width="886" height="34"></p><p>从上面图表的修复率可以看到,相比第一组通报过的数据,QNAP NAS的修复率平均不到49%。这反应慢了很多。</p><p><strong>3.5. 第五组数据</strong></p><p><b>2014/9/27</b></p><p>我们发现CheckPoint安全网关等产品存在破壳漏洞,ZoomEye针对CheckPoint相关设备的80端口进行大规模探测,在大陆地区发现<b>71</b>台受影响设备。</p><p>利用破壳漏洞,可以拿下CheckPoint相关设备root权限:</p><p><img alt="图片3" src="http://blog.knownsec.com/wp-content/uploads/2014/10/%E5%9B%BE%E7%89%873.png" width="804" height="32"></p><p><b>2014/10/14</b></p><p>再次验证后发现还有<b>52</b>台受影响。</p><p><strong>3.6. 第六组数据</strong></p><p><b>2014/9/27</b></p><p>我们发现Mirapoint邮件服务器(Message Server)存在破壳漏洞,ZoomEye针对Mirapoint邮件服务器的443端口进行大规模探测,在大陆地区发现<b>36</b>台受影响设备。乌云网站针对该设备漏洞也进行报道,并发布了漏洞预警。</p><p>利用破壳漏洞,可以直接拿下Mirapoint邮件服务器权限,并能轻易提权为root。</p><p><b>2014/10/14</b></p><p>再次验证后发现还有<b>5</b>台受影响。</p><p><strong>3.7. 第七组数据</strong></p><p><b>2014/10/6</b></p><p>通过XCERT内部的反馈,我们验证了AVAYA IP电话存在破壳漏洞的事实,ZoomEye针对AVAYA IP电话的443端口进行大规模探测,在大陆地区发现<b>4</b>台受影响设备。</p><p>利用破壳漏洞,可以直接拿下AVAYA IP电话服务器权限。</p><p><b>2014/10/14</b></p><p>再次验证后发现这<b>4</b>台还未修补。</p><p>&nbsp;</p><p>可以从这几组数据看到,探测方式各不相同,如果继续扩展可以逐步描绘出越来越清晰的影响面(可直接远程攻击),更多成果还在继续。</p><p>通过这几组数据还可以得出一个结论:一些没曝光/通报的设备,修补效率很低;一些已经曝光/通报的设备,也没法做到100%修补。</p><h1>4. 加速乐云防御平台应急概要</h1><p>截止时间<b>2014/9/26 12:00</b>的统计如下:</p><p>来自知道创宇加速乐团队的应急情况,拦截了<b>1759</b>次破壳漏洞攻击!</p><p>下图为<b>2014/9/25</b>破壳漏洞按小时活跃趋势图:</p><p><img alt="QQ图片20141015161422" src="http://blog.knownsec.com/wp-content/uploads/2014/10/QQ%E5%9B%BE%E7%89%8720141015161422.jpg" width="596" height="391"></p><p>从图中可见,加速乐云防御平台在漏洞爆发之前就已经添加规则。</p><p><b>2014/9/25</b>拦截情况如下:</p><ul><li>总共拦截数:1,759次</li><li>受攻击站点数:214个</li><li>攻击成功站点数:0个</li><li>发起攻击IP数:6个</li></ul><p>从加速乐云防御平台可以侧面看出,这种漏洞的疯狂情况。</p><h1>5. 其他结论</h1><p>通过我们连夜分析,还有一些可靠结论可以作为参考:</p><p><strong>5.1. 破壳漏洞的蠕虫已经开始全球蔓延,应该是利用masscan来进行大规模植入的。</strong></p><p>蠕虫代码在这:</p><p><a href="https://gist.github.com/anonymous/929d622f3b36b00c0be1">https://gist.github.com/anonymous/929d622f3b36b00c0be1</a></p><p>更多关于破壳蠕虫信息,可以参考安天的分析:</p><p>《“破壳”漏洞相关恶意代码样本分析报告——“破壳”相关分析之二》</p><p><a href="http://www.antiy.com/response/Analysis_Report_on_Sample_Set_of_Bash_Shellshock.html">http://www.antiy.com/response/Analysis_Report_on_Sample_Set_of_Bash_Shellshock.html</a></p><p><strong>5.2. DHCP服务受影响,这个意味着这个破壳漏洞绝不仅Linux服务器的事!</strong></p><p>POC细节在这:</p><p><a href="https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/">https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/</a></p><p><a href="http://d.uijn.nl/?p=32">http://d.uijn.nl/?p=32</a></p><p><strong>5.3. 基于SIP协议的破壳漏洞扫描也开始了!</strong></p><p><a href="https://github.com/zaf/sipshock">https://github.com/zaf/sipshock</a></p><p><strong>5.4. 在特定的配置下,OpenVPN也存在破壳漏洞。</strong></p><p><a href="http://www.darknet.org.uk/2014/10/openvpn-vulnerable-to-shellshock-exploit/">http://www.darknet.org.uk/2014/10/openvpn-vulnerable-to-shellshock-exploit/</a></p><p><strong>5.5.&nbsp;全球范围内关于破壳漏洞利用已公布的细节可以在这看到:</strong></p><p><a href="https://github.com/mubix/shellshocker-pocs">https://github.com/mubix/shellshocker-pocs</a></p><p>一些邮件服务如:Exim、Qmail、Procmail、Postfix等。</p><p>一些大厂商:Cisco、Juniper、cPanel等。</p><h1>6. 修复建议</h1><p>现在可以按照下面方式进行Bash的升级修复:</p><table><colgroup><col width="NaN%"><col width="NaN%"></colgroup><tbody><tr><td>操作系统</td><td>升级方式</td></tr><tr><td>Ubuntu/Debian</td><td>apt-get update<br>apt-get install bash</td></tr><tr><td>RedHat/CentOS/Fedora</td><td>yum update -y bash</td></tr><tr><td>Arch Linux</td><td>pacman -Syu</td></tr><tr><td>OS X</td><td>brew update<br>brew install bash<br>sudo sh -c 'echo "/usr/local/bin/bash" &gt;&gt; /etc/shells'<br>chsh -s /usr/local/bin/bash<br>sudo mv /bin/bash /bin/bash-backup<br>sudo ln -s /usr/local/bin/bash /bin/bash</td></tr><tr><td>MacPorts</td><td>sudo port self update<br>sudo port upgrade bash</td></tr></tbody></table><p>&nbsp;</p><p>建议升级后按上面的方法诊断是否补丁完全。</p><h1>7. 相关资源链接</h1><ul><li>ShellShock官网:<a href="https://shellshocker.net/">https://shellshocker.net/</a></li></ul><p>来自<a href="http://blog.knownsec.com/2014/10/shellshock_response_profile_v4/">http://blog.knownsec.com/2014/10/shellshock_response_profile_v4/</a></p>
    idSSV:88877
    last seen2017-11-19
    modified2014-09-26
    published2014-09-26
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-88877
    titleBash 4.3 远程命令执行漏洞 (破壳)

References