{"vuid":"VU#252743","idnumber":"252743","name":"GNU Bash shell executes commands in exported functions in environment variables","keywords":["bash","shellshock","rce"],"overview":"GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution.","clean_desc":"UPDATE: New CVE-IDs added for incomplete patches. Additional resources added and vendor patch information updated. CWE-78: OS Command Injection Bash supports exporting of shell functions to other instances of bash using an environment variable. This environment variable is named by the function name and starts with a \"() {\" as the variable value in the function definition. When Bash reaches the end of the function definition, rather than ending execution it continues to process shell commands written after the end of the function. This vulnerability is especially critical because Bash is widespread on many types of devices (UNIX-like operating systems including Linux and Mac OS X), and because many network services utilize Bash, causing the vulnerability to be network exploitable. Any service or program that sets environment variables controlled by an attacker and calls Bash may be vulnerable. Red Hat has developed the following test: $ env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\" The website shellshocker.net from the health IT team at Medical Informatics Engineering has developed several tests for websites and hosts and includes update information. This vulnerability is being actively exploited.","impact":"A malicious attacker may be able to execute arbitrary code at the privilege level of the calling application.","resolution":"Apply an Update\nThe first several set of patches (for CVE-2014-6271) do not completely resolve the vulnerability. CVE-2014-7169, CVE-2014-6277, CVE-2014-7186, and CVE 2014-7187 identify the remaining aspects of this vulnerability. Red Hat has provided a support article with updated information and workarounds. CERT/CC has also included vendor patch information below when notified of an update.","workarounds":"","sysaffected":"Many UNIX-like operating systems, including Linux distribut","thanks":"","author":"This document was written by Chris King.","public":["http://seclists.org/oss-sec/2014/q3/650","https://access.redhat.com/articles/1200223","https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/","http://seclists.org/oss-sec/2014/q3/688","http://seclists.org/oss-sec/2014/q3/685","http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html","http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html","https://gist.github.com/anonymous/929d622f3b36b00c0be1","https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html","https://shellshocker.net/#"],"cveids":["CVE-2014-6271","CVE-2014-7169","CVE-2014-6277","CVE-2014-7186","CVE-2014-7187"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-09-25T15:01:28Z","publicdate":"2014-09-24T00:00:00Z","datefirstpublished":"2014-09-25T17:16:54Z","dateupdated":"2015-04-14T20:35:33Z","revision":56,"vrda_d1_directreport":"1","vrda_d1_population":"4","vrda_d1_impact":"4","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"LM","cvss_targetdistribution":"H","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"9.5","cvss_environmentalscore":"9.6463389888","cvss_environmentalvector":"CDP:LM/TD:H/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}