search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

GNU Bash shell executes commands in exported functions in environment variables

Vulnerability Note VU#252743

Original Release Date: 2014-09-25 | Last Revised: 2015-04-14

Overview

GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution.

Description

UPDATE: New CVE-IDs added for incomplete patches. Additional resources added and vendor patch information updated.

CWE-78: OS Command Injection

Bash supports exporting of shell functions to other instances of bash using an environment variable. This environment variable is named by the function name and starts with a "() {" as the variable value in the function definition. When Bash reaches the end of the function definition, rather than ending execution it continues to process shell commands written after the end of the function. This vulnerability is especially critical because Bash is widespread on many types of devices (UNIX-like operating systems including Linux and Mac OS X), and because many network services utilize Bash, causing the vulnerability to be network exploitable. Any service or program that sets environment variables controlled by an attacker and calls Bash may be vulnerable.

Red Hat has developed the following test:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The website shellshocker.net from the health IT team at Medical Informatics Engineering has developed several tests for websites and hosts and includes update information.

This vulnerability is being actively exploited.

Impact

A malicious attacker may be able to execute arbitrary code at the privilege level of the calling application.

Solution

Apply an Update
The first several set of patches (for CVE-2014-6271) do not completely resolve the vulnerability. CVE-2014-7169, CVE-2014-6277, CVE-2014-7186, and CVE 2014-7187 identify the remaining aspects of this vulnerability. Red Hat has provided a support article with updated information and workarounds.

CERT/CC has also included vendor patch information below when notified of an update.

Vendor Information

Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be vulnerable. Contact your vendor for information about updates or patches. This Red Hat support article and blog post describe ways that Bash can be called from other programs, including network vectors such as CGI, SSH, and DHCP. Shell Shock Exploitation Vectors describes other ways this vulnerability could be exploited.

252743
 
Expand all

View all 93 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9.5 E:H/RL:W/RC:C
Environmental 9.6 CDP:LM/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Chris King.

Other Information

CVE IDs: CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-7186, CVE-2014-7187
Date Public: 2014-09-24
Date First Published: 2014-09-25
Date Last Updated: 2015-04-14 20:35 UTC
Document Revision: 56

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis