Vulnerabilities > CVE-2019-9924 - Missing Authorization vulnerability in multiple products

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

nessus

NVD

Published: 2019-03-22

Updated: 2022-04-05

Summary

rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Vulnerable Configurations

Part	Description	Count
Application	Gnu GNU Bash - GNU Bash 1.14.0 GNU Bash 1.14.1 GNU Bash 1.14.2 GNU Bash 1.14.3 GNU Bash 1.14.4 GNU Bash 1.14.5 GNU Bash 1.14.6 GNU Bash 1.14.7 GNU Bash 2.0 GNU Bash 2.01 GNU Bash 2.01.1 GNU Bash 2.02 GNU Bash 2.02.1 GNU Bash 2.03 GNU Bash 2.04 GNU Bash 2.05 GNU Bash 3.0 GNU Bash 3.0.16 GNU Bash 3.1 GNU Bash 3.2 GNU Bash 3.2.48 GNU Bash 3.2.57 GNU Bash 4.0 GNU Bash 4.1 GNU Bash 4.2 GNU Bash 4.2.53 GNU Bash 4.3 GNU Bash 4.3.30 GNU Bash 4.4	33
Application	Netapp Netapp HCI Management Node - Netapp Solidfire -	2
OS	Debian Debian Debian Linux 8.0	1
OS	Opensuse Opensuse Leap 42.3	1
OS	Canonical Canonical Ubuntu Linux 12.04 Canonical Ubuntu Linux 14.04 Canonical Ubuntu Linux 16.04	3

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Nessus

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1563.NASL
description	According to the version of the bash package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2019-05-29
plugin id	125490
published	2019-05-29
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125490
title	EulerOS 2.0 SP2 : bash (EulerOS-SA-2019-1563)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(125490); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2019-9924" ); script_name(english:"EulerOS 2.0 SP2 : bash (EulerOS-SA-2019-1563)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the bash package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1563 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?690cd50f"); script_set_attribute(attribute:"solution", value: "Update the affected bash package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/29"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bash"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["bash-4.2.46-28.h3"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bash"); }

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20200407_BASH_ON_SL7_X.NASL
description	* bash: BASH_CMD is writable in restricted bash shells
last seen	2020-04-30
modified	2020-04-21
plugin id	135800
published	2020-04-21
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135800
title	Scientific Linux Security Update : bash on SL7.x x86_64 (20200407)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-0838-2.NASL
description	This update for bash fixes the following issues : Security issue fixed : CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	126524
published	2019-07-08
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/126524
title	SUSE SLES12 Security Update : bash (SUSE-SU-2019:0838-2)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1609.NASL
description	According to the version of the bash package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	125561
published	2019-05-30
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125561
title	EulerOS Virtualization 3.0.1.0 : bash (EulerOS-SA-2019-1609)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-1113.NASL
description	The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1113 advisory. - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-04-23
modified	2020-04-01
plugin id	135062
published	2020-04-01
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135062
title	RHEL 7 : bash (RHSA-2020:1113)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-4058-1.NASL
description	It was discovered that Bash incorrectly handled the restricted shell. An attacker could possibly use this issue to escape restrictions and execute any command. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	126748
published	2019-07-16
reporter	Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/126748
title	Ubuntu 16.04 LTS : bash vulnerability (USN-4058-1)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1726.NASL
description	Two issues have been fixed in bash, the GNU Bourne-Again Shell : CVE-2016-9401 The popd builtin segfaulted when called with negative out of range offsets. CVE-2019-9924 Sylvain Beucler discovered that it was possible to call commands that contained a slash when in restricted mode (rbash) by adding them to the BASH_CMDS array. For Debian 8
last seen	2020-06-01
modified	2020-06-02
plugin id	123093
published	2019-03-26
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/123093
title	Debian DLA-1726-1 : bash security update

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1565.NASL
description	According to the version of the bash package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2019-05-29
plugin id	125492
published	2019-05-29
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125492
title	EulerOS 2.0 SP5 : bash (EulerOS-SA-2019-1565)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2020-1113.NASL
description	The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1113 advisory. - bash: BASH_CMD is writable in restricted bash shells (CVE-2019-9924) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-06
modified	2020-04-10
plugin id	135339
published	2020-04-10
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135339
title	CentOS 7 : bash (CESA-2020:1113)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1564.NASL
description	According to the version of the bash package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2019-05-29
plugin id	125491
published	2019-05-29
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125491
title	EulerOS 2.0 SP3 : bash (EulerOS-SA-2019-1564)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2019-1_0-0229_BASH.NASL
description	An update of the bash package has been released.
last seen	2020-06-01
modified	2020-06-02
plugin id	124869
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124869
title	Photon OS 1.0: Bash PHSA-2019-1.0-0229

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1621.NASL
description	According to the version of the bash package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	125573
published	2019-05-30
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125573
title	EulerOS Virtualization for ARM 64 3.0.2.0 : bash (EulerOS-SA-2019-1621)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-0898-1.NASL
description	This update for bash fixes the following issues : Security issue fixed : CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	123924
published	2019-04-09
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/123924
title	SUSE SLES12 Security Update : bash (SUSE-SU-2019:0898-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-0838-1.NASL
description	This update for bash fixes the following issues : Security issue fixed : CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	123671
published	2019-04-03
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/123671
title	SUSE SLED12 / SLES12 Security Update : bash (SUSE-SU-2019:0838-1)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2019-1178.NASL
description	This update for bash fixes the following issues: Security issue fixed : - CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324). This update was imported from the SUSE:SLE-12-SP2:Update update project.
last seen	2020-06-01
modified	2020-06-02
plugin id	123922
published	2019-04-09
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/123922
title	openSUSE Security Update : bash (openSUSE-2019-1178)

Redhat

advisories

bugzilla

id	1691774
title	CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells

oval

OR

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

OR

AND
comment bash is earlier than 0:4.2.46-34.el7
oval oval:com.redhat.rhsa:tst:20201113001
comment bash is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20141293005
AND
comment bash-doc is earlier than 0:4.2.46-34.el7
oval oval:com.redhat.rhsa:tst:20201113003
comment bash-doc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20141293007

rhsa

id	RHSA-2020:1113
released	2020-03-31
severity	Moderate
title	RHSA-2020:1113: bash security update (Moderate)

rpms

bash-0:4.2.46-34.el7
bash-debuginfo-0:4.2.46-34.el7
bash-doc-0:4.2.46-34.el7

References

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.