Login   |   Secure Purdue > News

Update: Critical Bash Update

A the patch for CVE-2014-6271 was incomplete. The patch did not cover all variations to append Bash commands to global variables. Since the update, new variations have been seen and it looks like more patches have been released in response.

For a few days, it would probably be a good idea to keep checking for Bash updates.

Some details about the new findings:

web.nvd.nist .gov /view/vuln/detail?vulnId=CVE-2014-7169
access.redhat .com /security/cve/CVE-2014-7186
access.redhat .com /security/cve/CVE-2014-7187


A serious vulnerability (CVE-2014-6271) for Bash was discovered where
remote command injection is possible through means that would call a
Bash shell. Common services that would be affected are sshd, apache,
DHCP, or any other service that uses shell scripts to export variables.

There are BASH updates already available for more UNIX/Linux distros.
Anyone that manages one of those systems are urged to update Bash.


All versions of Bash on UNIX/Linux based systems


Attackers can append commands to the end of environment variable's
function definition. When the variable is loaded into Bash, Bash will
process the command that was added at the end of the variable
definition. There are several ways that this could be exploited; the
most common are listed below:

sshd - rsync or git commands
apache/httpd - CGI scripts
DHCP - dhclient
CUPS - CUPS filtering from user supplied values

To test the vulnerability:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Output of a vulnerable system will display:
> vulnerable this is a test

A system without the Bash vulnerability will display:
> bash: warning: x: ignoring function definition attempt bash: error
> importing function definition for `x' this is a test


Update Bash


web.nvd.nist .gov /view/vuln/detail?vulnId=CVE-2014-6271
access.redhat .com /articles/1200223
access.redhat .com /solutions/1207723
(copy/paste and remove the spaces)

Posted by ITSP on September 24, 2014, in Secure Purdue News.