Bash Command Injection Vulnerability

CVEs (1)

Remediations

• There are several functional mitigations for this vulnerability including upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, and/or filtering inputs to vulnerable services.
• Patches have been released to fix this vulnerability by major Linux vendors for affected versions
• however, solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.Vulnerability Summary for CVE-2014-7169 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169)
• (https://www.cve.org/CVERecord?id=CVE-2014-7169)
• Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include bash and are likely to be affected. Contact your respective Linux or Unix-based OS vendor(s) for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743.Vulnerability Note VU#252743, (http://www.kb.cert.org/vuls/id/252743)
• ICS-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169e, to mitigate damage caused by the exploit.
• Other helpful resources include: (https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/)
• (http://lists.gnu.org/archive/html/bug-bash/2014-09/threads.html)
• (https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability)
• (https://www.us-cert.gov/ncas/alerts/TA14-268A)
• (https://www.cert.gov.uk/resources/alerts/update-bash-vulnerability-aka-shellshock/)
• Support Information: Novel/SuSE (http://support.novell.com/security/cve/CVE-2014-6271.html)
• Debian (https://www.debian.org/security/2014/dsa-3032)
• Ubuntu (http://www.ubuntu.com/usn/usn-2362-1/)
• Mint
• Redhat/Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271)
• Mageia (https://forums.mageia.org/en/viewtopic.php?f=5&t=8487)
• CentOS (http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html)
• As bash may be used as a third-party component, asset owners, operators, and ICS software developers are encouraged to investigate the use of the affected versions of bash in their environments.
• The ST and PT ISAC released the following test string to determine detect vulnerable installations.
• To check if you are patched, you can use the original test string: env x='() { :
• }
• echo vulnerable' bash -c "echo this is a test"
• If you are patched, but want to demonstrate that you are still vulnerable, you can use this command: env X='() { (a)=>\' bash -c "echo date"
• This command will return an error on a patched system, but it will still create a file with the output of `date` in a file called "echo".
• Please see ABB’s public notification and mitigation strategies at: (http://www.abb.com/cawp/abbzh254/2c9d1261d9fa1dcfc1257950002e4fbf.aspx)
• Please see Cisco’s advisory for full list of affected products at: (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash)
• Digi says that the vulnerability cannot be exploited remotely on Connectport LTS, Digi Passport, Digi CM.
• Please see eWON’s advisory for full list of affected products at: (http://www.talk2m.com/en/shellshock-vulnerability-ewon-and-talk2m-on-the-safe-side.html?cmp_id=7&news_id=54&vID=17)
• Please see Meinberg’s public notification and mitigation strategies at: (http://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1403-gnu-bash-environmental-variable-command-injection-vulnerability.htm)
• Moxa is currently investigating a solution.
• Red Lion Sixnet BT-5000 and 6000 Series, RAM 9000, RAM 6000, SN 6000 and M, A and R Series use the bash shell but are not considered to be vulnerable or exploitable.
• Please refer to SSA-86096 for more details at Siemens’ web site: (http://www.siemens.com/cert/advisories)

Affected Vendors

Affected Products (9)