ID

VAR-201409-1156

CVE

CVE-2014-6271

TITLE

GNU Bash shell executes commands in exported functions in environment variables

DESCRIPTION

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04467807 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04467807 Version: 2 HPSBGN03117 rev.2 - HP Remote Device Access: Virtual Customer Access System (vCAS) running Bash Shell, Remote Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-09-30 Last Updated: 2014-11-11 Potential Security Impact: Remote code execution Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Remote Device Access: Virtual Customer Access System (vCAS) running Bash Shell. NOTE: The vCAS product is vulnerable only if DHCP is enabled. References: CVE-2014-6271 CVE-2014-7169 SSRT101724 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. All vCAS versions prior to 14.10-38402 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following updates available to resolve the vulnerability in HP Remote Device Access: Virtual Customer Access System (vCAS) running Bash Shell. Customers should upgrade their vCAS systems using the web UI or the "casupdate" command. There are also new VirtualBox and VMware ESX images available: - VMware ESX/ESXi image: https://h20529.www2.hp.com/apt/hp-rdacas-14.10-38402.ova - VirtualBox image: https://h20529.www2.hp.com/apt/hp-rdacas-14.10-38402-vbox.ova NOTE: - HP recommends to not power-down or disconnect the vCAS until the update is available. - The vCAS pulls down the latest updates from HP by using Ubuntus apt-get facility. - HP does not push updates out on to the vCAS so customers will have to be proactive and install the latest updates. Actions Required The DHCP exploit can be mitigated by ensuring that DHCP is disabled on the vCAS as detailed in MITIGATION INFORMATION below. Download updates by using a web browser: 1. Connect to the vCAS and login as hp-admin 2. Go to Tools -> Software Updates 3. Under "Manual Actions" select Check now and then upgrade now See HP Remote Device Access vCAS User Guide, Chapter 4, Software Updates for more details: http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/action.pro cess/public/psi/manualsDisplay/?sp4ts.oid=4256914&javax.portlet.action=true&s pf_p.tpst=psiContentDisplay&javax.portlet.begCacheTok=com.vignette.cachetoken &spf_p.prp_psiContentDisplay=wsrp-interactionState%3DdocId%253Demr_na-c033816 86%257CdocLocale%253Den_US&javax.portlet.endCacheTok=com.vignette.cachetoken MITIGATION INFORMATION A Shellshock attack requires the definition of an environment variable introduced into Bash. The vCAS has three attack vectors: SSH, the lighttpd web server, and the DHCP client. - The exploit does not elevate privileges. The DHCP client uses Bash scripts and is vulnerable to Shellshock. The DHCP exploit can be mitigated by ensuring that DHCP is disabled on the vCAS. Note: HP strongly discourages the use of DHCP on the vCAS. The web UI forces the vCAS user to assign a static IP address and change the hp-admin password. A vCAS user must manually configure DHCP for use on the vCAS. A vCAS user can verify that DHCP is disabled by inspecting the file "/etc/network/interfaces" and ensuring that the "iface" line for device "eth0" is set for a static IP. Example of a static IP configuration: # The primary network interface auto eth0 iface eth0 inet static address 172.27.1.68 netmask 255.255.255.0 gateway 172.27.1.1 HISTORY Version:1 (rev.1) - 30 September 2014 Initial release Version:2 (rev.2) - 11 November 2014 Software updates available Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlRiTVMACgkQ4B86/C0qfVkVXwCgnt3AiI6i2W/bYpzl1OdUS3V0 240AnAzsgVtgeyaCKxbE7+fRS74qViiq =Gpae -----END PGP SIGNATURE----- . HP Product Firmware Version HP StoreEver ESL G3 Tape Libraries with MCB version 2 680H_GS40701 HP StoreEver ESL G3 Tape Libraries with MCB version 1 656H_GS10801 The firmware is customer installable and is available in the Drivers, Software & Firmware section at the following location: http://www.hp.com/support/eslg3 Notes: - Updating the library firmware requires a reboot of the library. - If the library firmware cannot be updated, HP recommends following the Mitigation Instructions below. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: rhev-hypervisor6 security update Advisory ID: RHSA-2014:1354-01 Product: Red Hat Enterprise Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1354.html Issue date: 2014-10-02 CVE Names: CVE-2014-1568 CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 ===================================================================== 1. Summary: An updated rhev-hypervisor6 package that fixes several security issues is now available. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEV-M 3.4 - noarch 3. Description: The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. (CVE-2014-1568) It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. (CVE-2014-7186) An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. (CVE-2014-7187) Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters of CVE-2014-1568. Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package. 4. Solution: This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 To upgrade Hypervisors in Red Hat Enterprise Virtualization environments using the disk image provided by this package, refer to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht ml/Hypervisor_Deployment_Guide/chap-Deployment_Guide-Upgrading_Red_Hat_Ente rprise_Virtualization_Hypervisors.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1141597 - CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands 1145429 - CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73) 1146319 - CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271) 1146791 - CVE-2014-7186 bash: parser can allow out-of-bounds memory access while handling redir_stack 1146804 - CVE-2014-7187 bash: off-by-one error in deeply nested flow control constructs 6. Package List: RHEV-M 3.4: Source: rhev-hypervisor6-6.5-20140930.1.el6ev.src.rpm noarch: rhev-hypervisor6-6.5-20140930.1.el6ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-1568.html https://www.redhat.com/security/data/cve/CVE-2014-6271.html https://www.redhat.com/security/data/cve/CVE-2014-7169.html https://www.redhat.com/security/data/cve/CVE-2014-7186.html https://www.redhat.com/security/data/cve/CVE-2014-7187.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. No other firmware stream updates are planned beyond the NX-OS 5.x and 6.x versions listed below for the MDS products. HP has released and posted the Cisco switch software version NX-OS 6.2(9a) on HP Support Center (HPSC). This software versions 6.2(9a) has included the fixes for the vulnerability in HP StoreFabric C-series MDS switches which currently supporting NX-OS 6.X releases. HP has released and posted the Cisco switch software version NX-OS 5.2(8e) on HP Support Center (HPSC). This software version 5.2(8e) has included the fix for the vulnerability in HP C-series MDS switches which currently supporting NX-OS 5.X releases. HP is continuing to actively work on software updates to resolve the vulnerability in HP C-series Nexus 5k switches. This bulletin will be revised when these updates become available. MITIGATION INFORMATION If updating to a NX-OS version containing the fix is not currently possible, HP recommends the following steps to reduce the risk of this vulnerability: The "ssh" or "telnet" features may be disabled by the admin user. All MDS and Nexus 5K switches can function in this configuration. Access is available through the console port. Vantage Point Security Advisory 2015-001 ======================================== Title: Cisco Unified Communications Manager Multiple Vulnerabilities Vendor: Cisco Vendor URL: http://www.cisco.com/ Versions affected: <9.2, <10.5.2, <11.0.1. Severity: Low to medium Vendor notified: Yes Reported: Oct. 2014 Public release: Aug. 13th, 2015 Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg> Summary: -------- Cisco Unified Communications Manager (CUCM) offers services such as session management, voice, video, messaging, mobility, and web conferencing. During the last year, Vantage Point Security has reported four security issues to Cisco as listed below. Shellshock command injection -------------------------------- Authenticated users of CUCM can access limited functionality via the web interface and Cisco console (SSH on port 22). shellshock). This allows an attacker to spawn a shell running as the user "admin". Example: $ LC_PAPER="() { x;};/bin/sh" ssh Administrator@examplecucm.com 2. Local File Inclusion ----------------------- The application allows users to view the contents of any locally accessible files on the web server through a vulnerability known as LFI (Local File Inclusion). LFI vulnerabilities are commonly used to download application source code, configuration files and files containing sensitive information such as passwords. Exploiting this issue requires a valid user account. https://cucm.example.com/:8443/reporter-servlet/GetFileContent?Location=/&FileName=/usr/local/thirdparty/jakarta-tomcat/conf/tomcat-users.xml 3. Unauthenticated access to ping command ----------------------------------------- The pingExecute servlet allows unauthenticated users to execute pings to arbitrary IP addresses. This could be used by an attacker to enumerate the internal network. The following URL triggers a ping of the host 10.0.0.1: https://cucm.example.com:8443/cmplatform/pingExecute?hostname=10.0.0.1&interval=1.0&packetsize=12&count=1000&secure=false 4. Magic session ID allows unauthenticated access to SOAP calls --------------------------------------------------------------- Authentication for some methods in the EPAS SOAP interface can be bypassed by using a hardcoded session ID. The methods "GetUserLoginInfoHandler" and "GetLoggedinXMPPUserHandler" are affected. Fix Information: ---------------- Upgrade to CUCM version 9.2, 10.5.2 or 11.0.1. References: ----------- https://tools.cisco.com/quickview/bug/CSCus88031 https://tools.cisco.com/quickview/bug/CSCur49414 https://tools.cisco.com/quickview/bug/CSCum05290 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash http://tools.cisco.com/security/center/viewAlert.x?alertId=37111 Timeline: --------- 2014/10: Issues reported to Cisco; 2015/07: Confirm that all issues have been fixed. About Vantage Point Security: -------------------- Vantage Point is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. https://www.vantagepoint.sg/ office[at]vantagepoint[dot]sg . The shell is not accessible via the standard calibration or remote management interfaces. The unit provides Calibration Software running on embedded Linux, which includes a Bash Shell

AFFECTED PRODUCTS