ID

VAR-201409-0366

CVE

CVE-2014-6277

TITLE

GNU Bash shell executes commands in exported functions in environment variables

DESCRIPTION

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. This vulnerability CVE-2014-6271 and CVE-2014-7169 Vulnerability due to insufficient fix for.Arbitrary code execution or denial of service by a third party through a crafted environment ( Uninitialized memory access and untrusted pointer read and write operations ) There is a possibility of being put into a state. QNAP Systems, Inc. Provided by QTS teeth, Turbo NAS for OS is. QTS for, GNU Bash Vulnerability (JVNVU#97219505) caused by OS Command injection vulnerability (CWE-78) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : University of Electro-Communications Wakisaka Yuki MrAny application permission OS The command may be executed. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Existing users may upgrade to HP OneView version 1.20 using the Update Appliance feature in HP OneView. Go to the HP Software Depot site at http://www.software.hp.com and search for HP OneView. -----BEGIN PGP SIGNED MESSAGE----- CA20141001-01: Security Notice for Bash Shellshock Vulnerability Issued: October 01, 2014 Updated: October 03, 2014 CA Technologies is investigating multiple GNU Bash vulnerabilities, referred to as the "Shellshock" vulnerabilities, which were publicly disclosed on September 24-27, 2014. CVE identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 have been assigned to these vulnerabilities. The CA Technologies Enterprise Information Security team has led a global effort to identify and remediate systems and products discovered with these vulnerabilities. We continue to patch our systems as fixes become available, and we are providing fixes for affected CA Technologies products. CA Technologies continues to aggressively scan our environments (including servers, networks, external facing applications, and SaaS environments) to proactively monitor, identify, and remediate any vulnerability when necessary. Risk Rating High Platform AIX Android (not vulnerable, unless rooted) Apple iOS (not vulnerable unless jailbroken) Linux Mac OS X Solaris Windows (not vulnerable unless Cygwin or similar ported Linux tools with Bash shell are installed) Other UNIX/BSD based systems if Bash is installed Any other OS or JeOS that utilizes Bash Affected Products The following products have been identified as potentially vulnerable, and we have made fixes available for all of these products. CA API Management (Linux appliance only) CA Application Performance Management (TIM is the only affected APM component) CA Application Performance Management Cloud Monitor CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM) CA Layer 7 products (API Gateway, Mobile Access Gateway, API Management Portal) CA User Activity Reporting Module (Enterprise Log Manager) Note: This security notice will be updated if other CA Technologies products are determined to be vulnerable. In most cases, the Bash vulnerabilities will need to be patched by OS vendors. Exceptions may include CA Technologies appliances, and software products that include Linux, UNIX or Mac OS X based operating systems (that include Bash). Affected Components CentOS Cygwin GNU Bash Red Hat Enterprise Linux SUSE Linux Non-Affected Products IMPORTANT NOTE: This listing includes only a small subset of the unaffected CA Technologies products. We're including unaffected products that customers have already inquired about. While the following CA Technologies products are not directly affected by the Bash vulnerabilities, the underlying operating systems that CA Technologies software is installed on may be vulnerable. We strongly encourage our customers to follow the recommendations provided by their vendors for all operating systems they utilize. All CA SaaS / On Demand products were either not vulnerable or have already been patched. CA AHS / PaymentMinder - AHS App is not vulnerable. The AHS app does not execute CGI scripts, or spawn or execute shell commands from within the app. AHS infrastructure already patched. CA Asset Portfolio Management CA AuthMinder (Arcot WebFort) CA AuthMinder for Business Users CA AuthMinder for Consumers CA AutoSys products - We use the bash shell that comes with the operating system and the customer is responsible for patching their OS. Additionally, the agents themselves do not distribute any scripts that use bash. CA Clarity On Demand CA CloudMinder - CloudMinder does not include the Bash Shell in BoM, or use it, but because we are deployed on RHEL, customers may be indirectly affected. Customers using RHEL should apply patches provided by Red Hat. CA Console Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA ControlMinder CA DataMinder (formerly DLP) products – Software and appliance confirmed not vulnerable. Note: Linux Agents shipped, but no public SSH or Web apps are used in these agents. Customers should patch bash shell on any Linux server with DataMinder agents. DataMinder agents should continue to function normally. CA Digital Payments SaaS (previously patched) CA Directory CA eCommerce SaaS / On Demand (previously patched) CA Endevor Software Change Manager CA Federation (formerly SiteMinder Federation) CA GovernanceMinder CA IdentityMinder CA Infrastructure Management CA JCLCheck CA Job Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA NetQoS GigaStor Observer Expert CA Network Flow Analysis CA Performance Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA RiskMinder CA Service Desk Manager CA Service Operations Insight (SOI) CA SiteMinder CA SOLVE:Access CA Spectrum for Linux - Not vulnerable. Be sure to apply bash fixes from your underlying operating system vendor. CA Strong Authentication CA System Watchdog for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA Top Secret CA Universal Job Management Agent for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA Virtual Assurance for Infrastructure Managers (VAIM) Solution CA Technologies has issued the following fixes to address the vulnerabilities. CA API Management: Patches for Linux appliance are available through CA Support to customers of Gateway (applicable for all versions – 6.1.5, 6.2, 7.0, 7.1, 8.0, 8.1, 8.1.1, 8.1.02). CA Application Performance Management: KB article for APM TIM has been published. APM TIM is the only part of APM that was affected. Refer to TEC618037. CA Application Performance Management Cloud Monitor: New images are available for subscribers. Download the latest OPMS version 8.2.1.5. For assistance, contact CA Support. CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM): Very low risk. 9.6 is not affected. 9.5 Installation uses Bash. We do not use Bash at all for the CEM operating system that we have shipped in the past. This means that customers who patch the OS will not impact the ability of the CEM TIMsoft from operating. However prior to version 9.6, the TIM installation script does use the bash shell. See new KB article TEC618037 for additional information. CA Layer 7 (API Gateway, Mobile Access Gateway, API Management Portal): Fixes for all Bash vulnerabilities and a security bulletin are available on the Layer 7 Support website. CA User Activity Reporting Module (Enterprise Log Manager): All 12.5 and 12.6 GA versions are potentially affected. Patches provided on 2014-09-30. To get the patch, use the OS update functionality to get the latest R12.6 SP1 subscription update. Note that you can update R12.5 SPx with the R12.6 SP1 OS update. For assistance, contact CA Support. Workaround None To help mitigate the risk, we do strongly encourage all customers to follow patch management best practices, and in particular for operating systems affected by the Bash Shellshock vulnerabilities. References CVE-2014-6271 - Bash environment variable command injection CVE-2014-7169 - Bash environment variable incomplete fix for CVE-2014-6271 CVE-2014-7186 - Bash parser redir_stack memory corruption CVE-2014-7187 - Bash nested flow control constructs off-by-one CVE-2014-6277 - Bash untrusted pointer use uninitialized memory CVE-2014-6278 - Bash environment variable command injection CA20141001-01: Security Notice for Bash Shellshock Vulnerability https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Change History v1.0: 2014-10-01, Initial Release v1.1: 2014-10-02, Added AuthMinder, Strong Authentication, VAIM, Clarity OD, All SaaS/OD products to list of Non-Affected Products. v1.2: 2014-10-03, Added RiskMinder to Non-Affected Products. Updated UARM solution info. If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com. PGP key: support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Security Notices https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Ken Williams Director, Product Vulnerability Response Team CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com Ken.Williams@ca.com | vuln@ca.com Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsBVAwUBVDK+PZI1FvIeMomJAQFl/Af/TqrSE/h4r3gs9PwrWKdt21PCRI3za9Lx M5ZyTdVDIQ9ybgPkLqsovNRPgVqd7zwDHsx0rzvF5Y82uO+vQ63BuEV2GnczAax/ EiAW4WVxUgWG+lAowGV55Of8ruv/gOiAWTjFhkqpsyVg96ZMw2HLG62IwZL1j0qa oLCu0y3VrGvqH0g2hi75QwHAjNCdlEsD4onUqTCc9cRTdLwFCZrUQ8KTrqIL7LK5 Uo5T9C1UeAyNTo3KiJ/zw3BCOTkpl99dmg3NW0onU/1r1CXdlyS7opLB+GJ+xGwP xRQdUsOIhzfRzx7bsao2D43IhDnzJBBFJHdeMPo18WBTfJ7aUgBwGQ== =B62b -----END PGP SIGNATURE----- . Note: All versions of HP Thin Pro and HP Smart Zero Core operating systems prior to version 5.1.0 are affected by these vulnerabilities. Following is a complete list of affected operating systems and Hardware Platforms Affected. Product Affected Product Versions Patch Status HP ThinPro and HP Smart Zero Core (X86) v5.1.0 and above No update required; the Bash shell patch is incorporated into the base image. Note: If you participated in the ThinPro 5.1.0 beta program then upgrade to the release version as soon as it becomes available. HP ThinPro and HP Smart Zero Core (x86) v5.0.x A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-5.0-x86.xar . The update can be also downloaded directly from HP as part of softpaq sp69382 at the following address: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe HP ThinPro and HP Smart Zero Core (x86) v4.4.x A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-4.4-x86.xar . The update can be also downloaded directly from HP as part of softpaq sp69382 at the following address: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe HP ThinPro and HP Smart Zero Core (ARM) v4.4.x A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-4.4-arm.xar . The update can be also downloaded directly from HP as part of softpaq sp69382 at the following address: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe HP ThinPro and HP Smart Zero Core (X86) v4.1, v4.2, and v4.3 A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-4.1-4.2-4.3-x86.xar . The update can be also downloaded directly from HP as part of softpaq sp69382 at the following address: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe HP ThinPro and HP Smart Zero Core (ARM) v4.1, v4.2, and v4.3 A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-4.1-4.2-4.3-arm.xar . The update can be also downloaded directly from HP as part of softpaq sp69382 at the following address: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe HP ThinPro and HP Smart Zero Core (X86) v3.1, v3.2, and v3.3 Download softpaq sp69382 from: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe which contains an update package as: bash_4.1-3+deb6u2_i386.deb . HP ThinPro and HP Smart Zero Core (ARM) v3.1, v3.2, and v3.3 Download softpaq sp69382 from: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe which contains an update package as: bash_4.1-3+deb6u2_armel.deb . HP ThinPro and HP Smart Zero Core v2.x and earlier An update will be made available for customers upon request HISTORY Version:1 (rev.1) - 03 October 2014 Initial release Version:2 (rev.2) - 06 November 2014 Updated List of CVEs, Updated impacted products, Updated resolution table Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Background ========== Bash is the standard GNU Bourne Again SHell. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-shells/bash < 4.2_p52 *>= 3.1_p22 *>= 3.2_p56 *>= 4.0_p43 *>= 4.1_p16 >= 4.2_p52 Description =========== Florian Weimer, Todd Sabin, Michal Zalewski et al. discovered further parsing flaws in Bash. The unaffected Gentoo packages listed in this GLSA contain the official patches to fix the issues tracked as CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Workaround ========== There is no known workaround at this time. Resolution ========== All Bash 3.1 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p22:3.1" All Bash 3.2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p56:3.2" All Bash 4.0 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p43:4.0" All Bash 4.1 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p16:4.1" All Bash 4.2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p52" References ========== [ 1 ] CVE-2014-6277 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6277 [ 2 ] CVE-2014-6278 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6278 [ 3 ] CVE-2014-7186 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7186 [ 4 ] CVE-2014-7187 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7187 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201410-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2015-01-27-4 OS X 10.10.2 and Security Update 2015-001 OS X 10.10.2 and Security Update 2015-001 are now available and address the following: AFP Server Available for: OS X Mavericks v10.9.5 Impact: A remote attacker may be able to determine all the network addresses of the system Description: The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result. CVE-ID CVE-2014-4426 : Craig Young of Tripwire VERT bash Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in bash, including one that may allow local attackers to execute arbitrary code Description: Multiple vulnerabilities existed in bash. These issues were addressed by updating bash to patch level 57. CVE-ID CVE-2014-6277 CVE-2014-7186 CVE-2014-7187 Bluetooth Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer signedness error existed in IOBluetoothFamily which allowed manipulation of kernel memory. This issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. CVE-ID CVE-2014-4497 Bluetooth Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory. The issue was addressed through additional input validation. CVE-ID CVE-2014-8836 : Ian Beer of Google Project Zero Bluetooth Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple security issues existed in the Bluetooth driver, allowing a malicious application to execute arbitrary code with system privilege. The issues were addressed through additional input validation. CVE-ID CVE-2014-8837 : Roberto Paleari and Aristide Fattori of Emaze Networks CFNetwork Cache Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Website cache may not be fully cleared after leaving private browsing Description: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. CVE-ID CVE-2014-4460 CoreGraphics Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the iSIGHT Partners GVP Program CPU Software Available for: OS X Yosemite v10.10 and v10.10.1, for: MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013) Impact: A malicious Thunderbolt device may be able to affect firmware flashing Description: Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates. CVE-ID CVE-2014-4498 : Trammell Hudson of Two Sigma Investments CommerceKit Framework Available for: OS X Yosemite v10.10 and v10.10.1 Impact: An attacker with access to a system may be able to recover Apple ID credentials Description: An issue existed in the handling of App Store logs. The App Store process could log Apple ID credentials in the log when additional logging was enabled. This issue was addressed by disallowing logging of credentials. CVE-ID CVE-2014-4499 : Sten Petersen CoreGraphics Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Some third-party applications with non-secure text entry and mouse events may log those events Description: Due to the combination of an uninitialized variable and an application's custom allocator, non-secure text entry and mouse events may have been logged. This issue was addressed by ensuring that logging is off by default. This issue did not affect systems prior to OS X Yosemite. CVE-ID CVE-2014-1595 : Steven Michaud of Mozilla working with Kent Howard CoreGraphics Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of PDF files. The issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. CVE-ID CVE-2014-8816 : Mike Myers, of Digital Operatives LLC CoreSymbolication Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple type confusion issues existed in coresymbolicationd's handling of XPC messages. These issues were addressed through improved type checking. CVE-ID CVE-2014-8817 : Ian Beer of Google Project Zero FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Processing a maliciously crafted .dfont file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of .dfont files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4484 : Gaurav Baruah working with HP's Zero Day Initiative FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4483 : Apple Foundation Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Viewing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the XML parser. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4485 : Apple Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in Intel graphics driver Description: Multiple vulnerabilities existed in the Intel graphics driver, the most serious of which may have led to arbitrary code execution with system privileges. This update addresses the issues through additional bounds checks. CVE-ID CVE-2014-8819 : Ian Beer of Google Project Zero CVE-2014-8820 : Ian Beer of Google Project Zero CVE-2014-8821 : Ian Beer of Google Project Zero IOAcceleratorFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOAcceleratorFamily's handling of certain IOService userclient types. This issue was addressed through improved validation of IOAcceleratorFamily contexts. CVE-ID CVE-2014-4486 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A buffer overflow existed in IOHIDFamily. This issue was addressed with improved bounds checking. CVE-ID CVE-2014-4487 : TaiG Jailbreak Team IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in IOHIDFamily's handling of resource queue metadata. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4488 : Apple IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of event queues. This issue was addressed through improved validation of IOHIDFamily event queue initialization. CVE-ID CVE-2014-4489 : @beist IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Executing a malicious application may result in arbitrary code execution within the kernel Description: A bounds checking issue existed in a user client vended by the IOHIDFamily driver which allowed a malicious application to overwrite arbitrary portions of the kernel address space. The issue is addressed by removing the vulnerable user client method. CVE-ID CVE-2014-8822 : Vitaliy Toropov working with HP's Zero Day Initiative IOKit Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero IOUSBFamily Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A privileged application may be able to read arbitrary data from kernel memory Description: A memory access issue existed in the handling of IOUSB controller user client functions. This issue was addressed through improved argument validation. CVE-ID CVE-2014-8823 : Ian Beer of Google Project Zero Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Specifying a custom cache mode allowed writing to kernel read-only shared memory segments. This issue was addressed by not granting write permissions as a side-effect of some custom cache modes. CVE-ID CVE-2014-4495 : Ian Beer of Google Project Zero Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-8824 : @PanguTeam Kernel Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A local attacker can spoof directory service responses to the kernel, elevate privileges, or gain kernel execution Description: Issues existed in identitysvc validation of the directory service resolving process, flag handling, and error handling. This issue was addressed through improved validation. CVE-ID CVE-2014-8825 : Alex Radocea of CrowdStrike Kernel Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Kernel Available for: OS X Mavericks v10.9.5 Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2014-4491 : @PanguTeam, Stefan Esser Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata. CVE-ID CVE-2014-4461 : @PanguTeam LaunchServices Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious JAR file may bypass Gatekeeper checks Description: An issue existed in the handling of application launches which allowed certain malicious JAR files to bypass Gatekeeper checks. This issue was addressed through improved handling of file type metadata. CVE-ID CVE-2014-8826 : Hernan Ochoa of Amplia Security libnetcore Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious, sandboxed app can compromise the networkd daemon Description: Multiple type confusion issues existed in networkd's handling of interprocess communication. The issue is addressed through additional type checking. CVE-ID CVE-2014-4492 : Ian Beer of Google Project Zero LoginWindow Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A Mac may not lock immediately upon wake Description: An issue existed in the rendering of the lock screen. This issue was address through improved screen rendering while locked. CVE-ID CVE-2014-8827 : Xavier Bertels of Mono, and multiple OS X seed testers lukemftp Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Using the command line ftp tool to fetch files from a malicious http server may lead to arbitrary code execution Description: A command injection issue existed in the handling of HTTP redirects. This issue was addressed through improved validation of special characters. CVE-ID CVE-2014-8517 OpenSSL Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in OpenSSL 0.9.8za, including one that may allow an attacker to downgrade connections to use weaker cipher-suites in applications using the library Description: Multiple vulnerabilities existed in OpenSSL 0.9.8za. These issues were addressed by updating OpenSSL to version 0.9.8zc. CVE-ID CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Sandbox Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A design issue existed in the caching of sandbox profiles which allowed sandboxed applications to gain write access to the cache. This issue was addressed by restricting write access to paths containing a "com.apple.sandbox" segment. This issue does not affect OS X Yosemite v10.10 or later. CVE-ID CVE-2014-8828 : Apple SceneKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application could execute arbitrary code leading to compromise of user information Description: Multiple out of bounds write issues existed in SceneKit. These issues were addressed through improved bounds checking. CVE-ID CVE-2014-8829 : Jose Duart of the Google Security Team SceneKit Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Viewing a maliciously crafted Collada file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in SceneKit's handling of Collada files. This issue was addressed through improved validation of accessor elements. CVE-ID CVE-2014-8830 : Jose Duart of Google Security Team Security Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A downloaded application signed with a revoked Developer ID certificate may pass Gatekeeper checks Description: An issue existed with how cached application certificate information was evaluated. This issue was addressed with cache logic improvements. CVE-ID CVE-2014-8838 : Apple security_taskgate Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: An app may access keychain items belonging to other apps Description: An access control issue existed in the Keychain. Applications signed with self-signed or Developer ID certificates could access keychain items whose access control lists were based on keychain groups. This issue was addressed by validating the signing identity when granting access to keychain groups. CVE-ID CVE-2014-8831 : Apple Spotlight Available for: OS X Yosemite v10.10 and v10.10.1 Impact: The sender of an email could determine the IP address of the recipient Description: Spotlight did not check the status of Mail's "Load remote content in messages" setting. This issue was addressed by improving configuration checking. CVE-ID CVE-2014-8839 : John Whitehead of The New York Times, Frode Moe of LastFriday.no Spotlight Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Spotlight may save unexpected information to an external hard drive Description: An issue existed in Spotlight where memory contents may have been written to external hard drives when indexing. This issue was addressed with better memory management. CVE-ID CVE-2014-8832 : F-Secure SpotlightIndex Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Spotlight may display results for files not belonging to the user Description: A deserialization issue existed in Spotlight's handling of permission caches. A user performing a Spotlight query may have been shown search results referencing files for which they don't have sufficient privileges to read. This issue was addressed with improved bounds checking. CVE-ID CVE-2014-8833 : David J Peacock, Independent Technology Consultant sysmond Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with root privileges Description: A type confusion vulnerability existed in sysmond that allowed a local application to escalate privileges. The issue was addressed with improved type checking. CVE-ID CVE-2014-8835 : Ian Beer of Google Project Zero UserAccountUpdater Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Printing-related preference files may contain sensitive information about PDF documents Description: OS X Yosemite v10.10 addressed an issue in the handling of password-protected PDF files created from the Print dialog where passwords may have been included in printing preference files. This update removes such extraneous information that may have been present in printing preference files. CVE-ID CVE-2014-8834 : Apple Note: OS X Yosemite 10.10.2 includes the security content of Safari 8.0.3. For further details see https://support.apple.com/kb/HT204243 OS X Yosemite 10.10.2 and Security Update 2015-001 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQIcBAEBAgAGBQJUx8ufAAoJEBcWfLTuOo7tWecQAIFvaOlK0Ar2vbUaH0TIpO9F N9SbkWmdNHDNUvc3LJOaeVfAFlXPbgHYqXGIC0kZiRL5Kyhy/K2hH29iNoIDqfET D1jPWOaAFhzvohViYl12ne/A7bBs5v+3G6gqmGCDCqGyn5VFdUMmS0/ZJSCUkPQG LqTvj5D4ulYl8I5uA9Ur9jD2j/TkSCOWiSTO5diMlt1WcKb1fn5pl9b0YNweI8UX FcZPrIlVNeaSywuitdxZEcWOhsJYbS6Xw13crS/HNJGEO+5N7keCnCJiN9HW4Pt6 8iNAgkSWX6S8nP6mq3tiKJmvh6Qj88tvSLgotc79+C8djvkwkxr3611sSLRUStI/ qmwDeJS+rvNgFiLbcJjDDH1EC3qBqMb5mIsMtnXKDDMS8mNeJHaQFngK2YacFLuW gzAMZIcEhLpWq46rYHBsPsB1iG1shyxxz1zL+JKNAi1aTtfFrP3aItQBUG5T345V 0oJol8oxzen9KLNYJMvE9CTJlrRr204DoQkmhY2dUP2W1EQoEGw2qzy/zBIq0yFA 0FNVcSXE+T4yCyHRGakK/sccw6lyCP0xS/lgaPlkyHsFT3oalu9yyqNtDCJl/Cns sAa5dw0tlb8/zWQ3fsJna2yrw5xSboA5KWegtrjtjodrz8O1MjRrTPgx8AnLjKzq nggZl3Sa+QhfaHSUqSJI =uAqk -----END PGP SIGNATURE----- . This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. Open the PXE Configuration Utility on the HP Insight Control server deployment window Select Linux Managed from the Boot Menu options Click the Edit button. Clicking the Edit button displays the Edit Shared Menu Option window Uncheck the x86 option in Operating System and Processor Options and click OK. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04512907 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04512907 Version: 1 HPSBMU03217 rev.1 - HP Vertica Analytics Platform running Bash Shell, Remote Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-12-16 Last Updated: 2014-12-16 Potential Security Impact: Remote code execution Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Vertica. References: CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 SSRT101827 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Vertica AMI's and Virtual Machines prior to v7.1.1-0. CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2104-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2104-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION We recommend installing Vertica v7.1.1-0 or subsequent, or manually installing a new version of Bash, such as Bash43-027. HP has released the following updates to resolve this vulnerability for HP Vertica products. Update to the latest VM image available at: https://my.vertica.com For customers using the AMI version HP Vertica Analytics platform, please install the latest image available at Amazon. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG &jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Good morning! This is kinda long. == Background == If you are not familiar with the original bash function export vulnerability (CVE-2014-6271), you may want to have a look at this article: http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html Well, long story short: the initial maintainer-provided patch for this issue [1] (released on September 24) is *conclusively* broken. After nagging people to update for a while [5] [7], I wanted to share the technical details of two previously non-public issues which may be used to circumvent the original patch: CVE-2014-6277 and CVE-2014-6278. Note that the issues discussed here are separate from the three probably less severe problems publicly disclosed earlier on: Tavis' limited-exploitability EOL bug (CVE-2014-7169) and two likely non-exploitable one-off issues found by Florian Weimer and Todd Sabin (CVE-2014-7186 and CVE-2014-7187). == Required actions == If you have installed just the September 24 patch [1], or that and the follow-up September 26 patch for CVE-2014-7169 [2], you are likely still vulnerable to RCE and need to update ASAP, as discussed in [5]. You are safe if you have installed the unofficial function prefix patch from Florian Weimer [3], or its upstream variant released on September 28 [4]. The patch does not eliminate the problems, but shields the underlying parser from untrusted inputs under normal circumstances. Note: over the past few days, Florian's patch has been picked up by major Linux distros (Red Hat, Debian, SUSE, etc), so there is a reasonable probability that you are in good shape. To test, execute this command from within a bash shell: foo='() { echo not patched; }' bash -c foo If you see "not patched", you probably want upgrade immediately. If you see "bash: foo: command not found", you're OK. == Vulnerability details: CVE-2014-6277 (the more involved one) == The following function definition appearing in the value of any environmental variable passed to bash will lead to an attempt to dereference attacker-controlled pointers (provided that the targeted instance of bash is protected only with the original patches [1][2] and does not include Florian's fix): () { x() { _; }; x() { _; } <<a; } A more complete example leading to a deref of 0x41414141 would be: HTTP_COOKIE="() { x() { _; }; x() { _; } <<`perl -e '{print "A"x1000}'`; }" bash -c : bash[25662]: segfault at 41414141 ip 00190d96 sp bfbe6354 error 4 in libc-2.12.so[110000+191000] (If you are seeing 0xdfdfdfdf, see note later on). The issue is caused by an uninitialized here_doc_eof field in a REDIR struct originally created in make_redirection(). The initial segv will happen due to an attempt to read and then copy a string to a new buffer through a macro that expands to: strcpy (xmalloc (1 + strlen (redirect->here_doc_eof)), (redirect->here_doc_eof)) This appears to be exploitable in at least one way: if here_doc_eof is chosen by the attacker to point in the vicinity of the current stack pointer, the apparent contents of the string - and therefore its length - may change between stack-based calls to xmalloc() and strcpy() as a natural consequence of an attempt to pass parameters and create local variables. Such a mid-macro switch will result in an out-of-bounds write to the newly-allocated memory. A simple conceptual illustration of this attack vector would be: -- snip! -- char* result; int len_alloced; main(int argc, char** argv) { /* The offset will be system- and compiler-specific */; char* ptr = &ptr - 9; result = strcpy (malloc(100 + (len_alloced = strlen(ptr))), ptr); printf("requested memory = %d\n" "copied text = %d\n", len_alloced + 1, strlen(result) + 1); } -- snip! -- When compiled with the -O2 flag used for bash, on one test system, this produces: requested memory = 2 copied text = 28 This can lead to heap corruption, with multiple writes possible per payload by simply increasing the number of malformed here-docs. The consequences should be fairly clear. [ There is also a latter call to free() on here_doc_eof in dispose_cmd.c, but because of the simultaneous discovery of the much simpler bug '78 discussed in the next section, I have not spent a whole lot of time trying to figure out how to get to that path. ] Perhaps notably, the ability to specify attacker-controlled addresses hinges on the state of --enable-bash-malloc and --enable-mem-scramble compile-time flags; if both are enabled, the memory returned by xmalloc() will be initialized to 0xdf, making the prospect of exploitation more speculative (essentially depending on whether the stack or any other memory region can be grown to overlap with 0xdfdfdfdf). That said, many Linux distributions disable one or both flags and are vulnerable out-of-the-box. It is also of note that relatively few distributions compile bash as PIE, so there is little consolation to be found in ASLR. Similarly to the original vulnerability, this issue can be usually triggered remotely through web servers such as Apache (provided that they invoke CGI scripts or PHP / Python / Perl / C / Java servlets that rely on system() or popen()-type libcalls); through DHCP clients; and through some MUAs and MTAs. For a more detailed discussion of the exposed attack surface, refer to [6]. == Vulnerability details: CVE-2014-6278 (the "back to the '90s" one) == The following function definition appearing in the value of any environmental variable passed to bash 4.2 or 4.3 will lead to straightforward put-your-command-here RCE (again, provided that the targeted instance is not protected with Florian's patch): () { _; } >_[$($())] { echo hi mom; id; } A complete example looks like this: HTTP_COOKIE='() { _; } >_[$($())] { echo hi mom; id; }' bash -c : ...or: GET /some/script.cgi HTTP/1.0 User-Agent: () { _; } >_[$($())] { id >/tmp/hi_mom; } Note that the PoC does not work as-is in more ancient versions of bash, such as 2.x or 3.x; it might have been introduced with xparse_dolparen() starting with bash 4.2 patch level 12 few years back, but I have not investigated this in a lot of detail. Florian's patch is strongly recommended either way. The attack surface through which this flaw may be triggered is roughly similar to that for CVE-2014-6277 and the original bash bug [6]. == Additional info == Both of these issues were identified in an automated fashion with american fuzzy lop: https://code.google.com/p/american-fuzzy-lop The out-of-the-box fuzzer was seeded with a minimal valid function definition ("() { foo() { foo; }; >bar; }") and allowed to run for a couple of hours on a single core. In addition to the issues discussed above, the fuzzer also hit three of the four previously-reported CVEs. I initially shared the findings privately with vendors, but because of the intense scrutiny that this codebase is under, the ease of reproducing these results with an open-source fuzzer, and the now-broad availability of upstream mitigations, there seems to be relatively little value in continued secrecy. == References == [1] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025 [2] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026 [3] http://www.openwall.com/lists/oss-security/2014/09/25/13 [4] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027 [5] http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html [6] http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html [7] http://www.pcworld.com/article/2688932/improved-patch-tackles-new-shellshock-attack-vectors.html PS. There are no other bugs in bash. --------- FOLLOW UP ----------- Date: Wed, 01 Oct 2014 07:32:57 -0700 From fulldisclosure-bounces@seclists.org Wed Oct 1 14:37:33 2014 From: Paul Vixie <paul@redbarn.org> To: Michal Zalewski <lcamtuf@coredump.cx> Cc: "fulldisclosure@seclists.org" <fulldisclosure@seclists.org> Subject: Re: [FD] the other bash RCEs (CVE-2014-6277 and CVE-2014-6278) michal, thank you for your incredibly informative report here. i have a minor correction. > Michal Zalewski <mailto:lcamtuf@coredump.cx> > Wednesday, October 01, 2014 7:21 AM > ... > > Note: over the past few days, Florian's patch has been picked up by > major Linux distros (Red Hat, Debian, SUSE, etc), so there is a > reasonable probability that you are in good shape. To test, execute > this command from within a bash shell: > > foo='() { echo not patched; }' bash -c foo this command need not be executed from within bash. the problem occurs when bash is run by the command, and the shell that runs the command can be anything. for example, on a system where i have deliberately not patched bash, where sh is "ash" (almquist shell): > $ foo='() { echo not patched; }' bash -c foo > not patched here's me testing it from within tcsh: > % env foo='() { echo not patched; }' bash -c foo > not patched > % (setenv foo '() { echo not patched; }'; bash -c foo) > not patched this is a minor issue, but i've found in matters of security bug reports, tests, and discussions, that any minor matter can lead to deep misunderstanding. thanks again for your excellent report, and your continuing work on this issue. vixie

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

operating system commend injection

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES