Vulnerabilities > CVE-2016-9401 - Use After Free vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0044.NASL description An update of [openvswitch,systemd,curl,mariadb,bash] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111893 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111893 title Photon OS 1.0: Bash / Curl / Mariadb / Openvswitch / Systemd PHSA-2017-0044 (deprecated) code # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2/7/2019 # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2017-0044. The text # itself is copyright (C) VMware, Inc. include("compat.inc"); if (description) { script_id(111893); script_version("1.2"); script_cvs_date("Date: 2019/02/07 18:59:50"); script_cve_id( "CVE-2016-9401", "CVE-2017-10268", "CVE-2017-10378", "CVE-2017-14970", "CVE-2017-15908", "CVE-2017-1000254" ); script_name(english:"Photon OS 1.0: Bash / Curl / Mariadb / Openvswitch / Systemd PHSA-2017-0044 (deprecated)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "An update of [openvswitch,systemd,curl,mariadb,bash] packages for PhotonOS has been released."); # https://github.com/vmware/photon/wiki/Security-Updates-84 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?185d85d0"); script_set_attribute(attribute:"solution", value:"n/a."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-14970"); script_set_attribute(attribute:"patch_publication_date", value:"2017/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:bash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:mariadb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:openvswitch"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:systemd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } exit(0, "This plugin has been deprecated."); include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; pkgs = [ "bash-4.3.48-2.ph1", "bash-debuginfo-4.3.48-2.ph1", "bash-lang-4.3.48-2.ph1", "curl-7.54.0-4.ph1", "curl-debuginfo-7.54.0-4.ph1", "mariadb-10.2.10-1.ph1", "mariadb-debuginfo-10.2.10-1.ph1", "mariadb-devel-10.2.10-1.ph1", "mariadb-errmsg-10.2.10-1.ph1", "mariadb-server-10.2.10-1.ph1", "mariadb-server-galera-10.2.10-1.ph1", "openvswitch-2.6.1-5.ph1", "openvswitch-debuginfo-2.6.1-5.ph1", "openvswitch-devel-2.6.1-5.ph1", "openvswitch-doc-2.6.1-5.ph1", "systemd-228-43.ph1", "systemd-debuginfo-228-43.ph1" ]; foreach (pkg in pkgs) if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bash / curl / mariadb / openvswitch / systemd"); }NASL family Scientific Linux Local Security Checks NASL id SL_20170321_BASH_ON_SL6_X.NASL description Security Fix(es) : - An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) - An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) - A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) last seen 2020-03-18 modified 2017-04-06 plugin id 99214 published 2017-04-06 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99214 title Scientific Linux Security Update : bash on SL6.x i386/x86_64 (20170321) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(99214); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25"); script_cve_id("CVE-2016-0634", "CVE-2016-7543", "CVE-2016-9401"); script_name(english:"Scientific Linux Security Update : bash on SL6.x i386/x86_64 (20170321)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Security Fix(es) : - An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) - An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) - A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1704&L=scientific-linux-errata&F=&S=&P=5255 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a1df2e78" ); script_set_attribute( attribute:"solution", value:"Update the affected bash, bash-debuginfo and / or bash-doc packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:bash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:bash-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:bash-doc"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/19"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"bash-4.1.2-48.el6")) flag++; if (rpm_check(release:"SL6", reference:"bash-debuginfo-4.1.2-48.el6")) flag++; if (rpm_check(release:"SL6", reference:"bash-doc-4.1.2-48.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bash / bash-debuginfo / bash-doc"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1337-1.NASL description This update for bash fixed several issues This security issue was fixed : - CVE-2016-9401: popd in bash might allowed local users to bypass the restricted shell and cause a use-after-free via a crafted address (bsc#1010845). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100292 published 2017-05-19 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100292 title SUSE SLES11 Security Update : bash (SUSE-SU-2017:1337-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:1337-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(100292); script_version("3.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/17"); script_cve_id("CVE-2016-9401"); script_name(english:"SUSE SLES11 Security Update : bash (SUSE-SU-2017:1337-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for bash fixed several issues This security issue was fixed : - CVE-2016-9401: popd in bash might allowed local users to bypass the restricted shell and cause a use-after-free via a crafted address (bsc#1010845). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1010845" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1031729" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=976776" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9401/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20171337-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d9a3ebb4" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t patch sdksp4-bash-13111=1 SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-bash-13111=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-bash-13111=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:bash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:bash-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libreadline5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:readline-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/23"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"libreadline5-32bit-5.2-147.35.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"libreadline5-32bit-5.2-147.35.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"bash-3.2-147.35.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"bash-doc-3.2-147.35.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"libreadline5-5.2-147.35.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"readline-doc-5.2-147.35.1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bash"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-0725.NASL description An update for bash is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es) : * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) * An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) * A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 97883 published 2017-03-22 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97883 title RHEL 6 : bash (RHSA-2017:0725) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2017:0725. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(97883); script_version("3.10"); script_cvs_date("Date: 2019/10/24 15:35:42"); script_cve_id("CVE-2016-0634", "CVE-2016-7543", "CVE-2016-9401"); script_xref(name:"RHSA", value:"2017:0725"); script_name(english:"RHEL 6 : bash (RHSA-2017:0725)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for bash is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es) : * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) * An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) * A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section." ); # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b5caa05f" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2017:0725" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-0634" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-7543" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-9401" ); script_set_attribute( attribute:"solution", value:"Update the affected bash, bash-debuginfo and / or bash-doc packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bash-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bash-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/19"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2017:0725"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"bash-4.1.2-48.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"bash-4.1.2-48.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"bash-4.1.2-48.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"bash-debuginfo-4.1.2-48.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"bash-debuginfo-4.1.2-48.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"bash-debuginfo-4.1.2-48.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"bash-doc-4.1.2-48.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"bash-doc-4.1.2-48.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"bash-doc-4.1.2-48.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bash / bash-debuginfo / bash-doc"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1726.NASL description Two issues have been fixed in bash, the GNU Bourne-Again Shell : CVE-2016-9401 The popd builtin segfaulted when called with negative out of range offsets. CVE-2019-9924 Sylvain Beucler discovered that it was possible to call commands that contained a slash when in restricted mode (rbash) by adding them to the BASH_CMDS array. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 123093 published 2019-03-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123093 title Debian DLA-1726-1 : bash security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1726-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(123093); script_version("1.3"); script_cvs_date("Date: 2020/02/03"); script_cve_id("CVE-2016-9401", "CVE-2019-9924"); script_name(english:"Debian DLA-1726-1 : bash security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Two issues have been fixed in bash, the GNU Bourne-Again Shell : CVE-2016-9401 The popd builtin segfaulted when called with negative out of range offsets. CVE-2019-9924 Sylvain Beucler discovered that it was possible to call commands that contained a slash when in restricted mode (rbash) by adding them to the BASH_CMDS array. For Debian 8 'Jessie', these problems have been fixed in version 4.3-11+deb8u2. We recommend that you upgrade your bash packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/bash" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bash"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bash-builtins"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bash-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bash-static"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"bash", reference:"4.3-11+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"bash-builtins", reference:"4.3-11+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"bash-doc", reference:"4.3-11+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"bash-static", reference:"4.3-11+deb8u2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3294-1.NASL description Bernd Dietzel discovered that Bash incorrectly expanded the hostname when displaying the prompt. If a remote attacker were able to modify a hostname, this flaw could be exploited to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-0634) It was discovered that Bash incorrectly handled the SHELLOPTS and PS4 environment variables. A local attacker could use this issue to execute arbitrary code with root privileges. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7543) It was discovered that Bash incorrectly handled the popd command. A remote attacker could possibly use this issue to bypass restricted shells. (CVE-2016-9401) It was discovered that Bash incorrectly handled path autocompletion. A local attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 17.04. (CVE-2017-5932). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100268 published 2017-05-18 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100268 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : bash vulnerabilities (USN-3294-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1164.NASL description According to the versions of the bash package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) - An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) - A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-09-08 plugin id 103002 published 2017-09-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103002 title EulerOS 2.0 SP2 : bash (EulerOS-SA-2017-1164) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-878.NASL description popd controlled free : A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session.(CVE-2016-9401) Arbitrary code execution via malicious hostname : An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances.(CVE-2016-0634) Specially crafted SHELLOPTS+PS4 variables allows command substitution : An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) last seen 2020-06-01 modified 2020-06-02 plugin id 102866 published 2017-09-01 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102866 title Amazon Linux AMI : bash (ALAS-2017-878) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1931.NASL description An update for bash is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es) : * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) * An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) * A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102105 published 2017-08-02 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102105 title RHEL 7 : bash (RHSA-2017:1931) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-1931.NASL description From Red Hat Security Advisory 2017:1931 : An update for bash is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es) : * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) * An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) * A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102289 published 2017-08-09 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102289 title Oracle Linux 7 : bash (ELSA-2017-1931) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1317-1.NASL description This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100246 published 2017-05-17 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100246 title SUSE SLED12 / SLES12 Security Update : bash (SUSE-SU-2017:1317-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0045_BASH.NASL description An update of the bash package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121760 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121760 title Photon OS 2.0: Bash PHSA-2017-0045 NASL family Scientific Linux Local Security Checks NASL id SL_20170801_BASH_ON_SL7_X.NASL description Security Fix(es) : - An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) - An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) - A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) last seen 2020-03-18 modified 2017-08-22 plugin id 102638 published 2017-08-22 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102638 title Scientific Linux Security Update : bash on SL7.x x86_64 (20170801) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-02.NASL description The remote host is affected by the vulnerability described in GLSA-201701-02 (Bash: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Bash. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96233 published 2017-01-03 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96233 title GLSA-201701-02 : Bash: Multiple vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-1931.NASL description An update for bash is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es) : * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) * An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) * A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102744 published 2017-08-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102744 title CentOS 7 : bash (CESA-2017:1931) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-614.NASL description This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-05-25 plugin id 100395 published 2017-05-25 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100395 title openSUSE Security Update : bash (openSUSE-2017-614) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0050.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix signal handling in read builtin Resolves: #1421926 - CVE-2016-9401 - Fix crash when last seen 2020-06-01 modified 2020-06-02 plugin id 99077 published 2017-03-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99077 title OracleVM 3.3 / 3.4 : bash (OVMSA-2017-0050) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0045.NASL description An update of [go,curl,libtiff,systemd,bash] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111894 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111894 title Photon OS 2.0: Bash / Curl / Go / Libtiff / Systemd PHSA-2017-0045 (deprecated) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0108_BASH.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has bash packages installed that are affected by multiple vulnerabilities: - A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) - An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) - An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127342 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127342 title NewStart CGSL MAIN 4.05 : bash Multiple Vulnerabilities (NS-SA-2019-0108) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-0725.NASL description An update for bash is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es) : * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) * An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) * A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 97959 published 2017-03-27 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/97959 title CentOS 6 : bash (CESA-2017:0725) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0044_BASH.NASL description An update of the bash package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121755 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121755 title Photon OS 1.0: Bash PHSA-2017-0044 NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1418.NASL description According to the versions of the bash package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.(CVE-2014-7169) - A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session.(CVE-2016-9401) - It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code.(CVE-2014-7186) - An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.(CVE-2014-7187) - A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.(CVE-2014-6271) - An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances.(CVE-2016-7543) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-16 modified 2019-05-14 plugin id 124921 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124921 title EulerOS Virtualization 3.0.1.0 : bash (EulerOS-SA-2019-1418) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-0725.NASL description From Red Hat Security Advisory 2017:0725 : An update for bash is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The bash packages provide Bash (Bourne-again shell), which is the default shell for Red Hat Enterprise Linux. Security Fix(es) : * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) * An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) * A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 99071 published 2017-03-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99071 title Oracle Linux 6 : bash (ELSA-2017-0725) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1163.NASL description According to the versions of the bash package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. (CVE-2016-0634) - An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543) - A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-09-08 plugin id 103001 published 2017-09-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103001 title EulerOS 2.0 SP1 : bash (EulerOS-SA-2017-1163)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://rhn.redhat.com/errata/RHSA-2017-0725.html
- http://www.openwall.com/lists/oss-security/2016/11/17/5
- http://www.openwall.com/lists/oss-security/2016/11/17/9
- http://www.securityfocus.com/bid/94398
- https://access.redhat.com/errata/RHSA-2017:1931
- https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html
- https://security.gentoo.org/glsa/201701-02