Article ID: 127844, created on Dec 24, 2015, last review on Dec 24, 2015

Information

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock."

NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Symptoms

Please use the automated script to find out if installed version of Bash is vulnerable: BashCheck

NOTE: The latest versions of Bash 4.3 [Ubuntu 14.x, Debian Jessie] produce a false positive warning in the check for CVE-2014-7186 (redir_stack bug) with the previously published script.

Examples:

Vulnerable machine:

$ sh bashcheck
Vulnerable to CVE-2014-6271 (original shellshock)
Vulnerable to CVE-2014-7169 (taviso bug)
./bashcheck: line 18:  6671 Segmentation fault: 11  bash -c "true $(printf '< /dev/null
Vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)

Updated machine:

$ sh bashcheck
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Variable function parser inactive, likely safe from unknown parser bugs

Resolution

The Redhat security group fixed shellshock vulnerability in several steps and each step have its own CVE assigned: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187.

Security impact and attack vectors' investigation is published on Redhat Security Blog.

The fixed version of bash are released by the OS vendors:

Even though this vulnerability is not in a product of Parallels, it is highly recommended to install the update because it is possible to exploit the system over the network.

Here is the list of articles which you may refer to:

Email subscription for changes to this article
Save as PDF