CVE-2014-6271 | AttackerKB

Description

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Metasploit Modules

Dhclient Bash Environment Variable Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/dhcp/bash_environment.rb)

DHCP Client Bash Environment Variable Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/dhclient_bash_env.rb)

CUPS Filter Bash Environment Variable Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cups_bash_env_exec.rb)

OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb)

Advantech Switch Bash Environment Variable Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb)

Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb)

IPFire Bash Environment Variable Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ipfire_bashbug_exec.rb)

Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb)

Apache mod_cgi Bash Environment Variable Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb)

Qmail SMTP Bash Environment Variable Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/qmail_bash_env_exec.rb)

Exploited in the Wild

Reported by:

AttackerKB Worker

Reported: September 25, 2020 8:39pm UTC (1 year ago)

gwillcox-r7 indicated source as Other: IBM Threat Index 2021 - Most Exploited Bugs of 2020 (https://www.ibm.com/downloads/cas/M1X3B7QG)

Reported: January 19, 2022 5:47pm UTC (5 months ago)

mkienow-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: January 29, 2022 12:25am UTC (4 months ago)

References

Canonical

CVE-2014-6271 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271)

BID-70103 (http://www.securityfocus.com/bid/70103)

Advisory

EXPLOIT-DB-37816 (https://www.exploit-db.com/exploits/37816)

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00034.html

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897

http://www-01.ibm.com/support/docview.wss?uid=swg21685749

HPSBMU03165 (http://marc.info?l=bugtraq&m=141577137423233&w=2)

SSRT101816 (http://marc.info?l=bugtraq&m=142719845423222&w=2)

EXPLOIT-DB-39918 (https://www.exploit-db.com/exploits/39918)

HPSBHF03119 (http://marc.info?l=bugtraq&m=141216668515282&w=2)

http://rhn.redhat.com/errata/RHSA-2014-1295.html

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00037.html

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts

HPSBST03131 (http://marc.info?l=bugtraq&m=141383138121313&w=2)

SSRT101819 (http://marc.info?l=bugtraq&m=142721162228379&w=2)

20141001 NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities (http://www.securityfocus.com/archive/1/533593/100/0/threaded)

HPSBMU03245 (http://marc.info?l=bugtraq&m=142358026505815&w=2)

http://www-01.ibm.com/support/docview.wss?uid=swg21686084

http://www-01.ibm.com/support/docview.wss?uid=swg21686479

SECUNIA-61188 (http://secunia.com/advisories/61188)

http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0

JVN#55667175 (http://jvn.jp/en/jp/JVN55667175/index.html)

SECUNIA-61676 (http://secunia.com/advisories/61676)

EXPLOIT-DB-40619 (https://www.exploit-db.com/exploits/40619)

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html

SECUNIA-60433 (http://secunia.com/advisories/60433)

EXPLOIT-DB-38849 (https://www.exploit-db.com/exploits/38849)

HPSBMU03143 (http://marc.info?l=bugtraq&m=141383026420882&w=2)

HPSBMU03182 (http://marc.info?l=bugtraq&m=141585637922673&w=2)

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00049.html

HPSBST03155 (http://marc.info?l=bugtraq&m=141576728022234&w=2)

http://www-01.ibm.com/support/docview.wss?uid=swg21685541

SECUNIA-61715 (http://secunia.com/advisories/61715)

http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html

SECUNIA-61816 (http://secunia.com/advisories/61816)

http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html

SECUNIA-61442 (http://secunia.com/advisories/61442)

HPSBMU03246 (http://marc.info?l=bugtraq&m=142358078406056&w=2)

HPSBST03195 (http://marc.info?l=bugtraq&m=142805027510172&w=2)

SECUNIA-61283 (http://secunia.com/advisories/61283)

SSRT101711 (http://marc.info?l=bugtraq&m=142113462216480&w=2)

USN-2362-1 (http://www.ubuntu.com/usn/USN-2362-1)

https://kc.mcafee.com/corporate/index?page=content&id=SB10085

http://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html

SECUNIA-61654 (http://secunia.com/advisories/61654)

SECUNIA-61542 (http://secunia.com/advisories/61542)

http://www.novell.com/support/kb/doc.php?id=7015701

http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315

SECUNIA-62312 (http://secunia.com/advisories/62312)

SECUNIA-59272 (http://secunia.com/advisories/59272)

HPSBST03122 (http://marc.info?l=bugtraq&m=141319209015420&w=2)

https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html

HPSBMU03217 (http://marc.info?l=bugtraq&m=141879528318582&w=2)

http://www-01.ibm.com/support/docview.wss?uid=swg21685604

SSRT101868 (http://marc.info?l=bugtraq&m=142118135300698&w=2)

SECUNIA-61703 (http://secunia.com/advisories/61703)

http://support.apple.com/kb/HT6495

VU#252743 (http://www.kb.cert.org/vuls/id/252743)

SECUNIA-61065 (http://secunia.com/advisories/61065)

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00029.html

HPSBST03129 (http://marc.info?l=bugtraq&m=141383196021590&w=2)

HPSBMU03144 (http://marc.info?l=bugtraq&m=141383081521087&w=2)

http://www-01.ibm.com/support/docview.wss?uid=swg21686445

http://www-01.ibm.com/support/docview.wss?uid=swg21686131

JVNDB-2014-000126 (http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126)

TA14-268A (http://www.us-cert.gov/ncas/alerts/TA14-268A)

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00028.html

SECUNIA-61641 (http://secunia.com/advisories/61641)

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648

https://access.redhat.com/node/1200223

http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898

APPLE-SA-2014-10-16-1 (http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html)

http://www-01.ibm.com/support/docview.wss?uid=swg21685914

20141001 FW: NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities (http://seclists.org/fulldisclosure/2014/Oct/0)

http://www.mandriva.com/security/advisories?name=MDVSA-2015:164

http://rhn.redhat.com/errata/RHSA-2014-1293.html

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00040.html

SECUNIA-60325 (http://secunia.com/advisories/60325)

https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes

SECUNIA-60024 (http://secunia.com/advisories/60024)

EXPLOIT-DB-34879 (https://www.exploit-db.com/exploits/34879)

https://access.redhat.com/articles/1200223

SECUNIA-62343 (http://secunia.com/advisories/62343)

SECUNIA-61565 (http://secunia.com/advisories/61565)

https://www.suse.com/support/shellshock

HPSBST03157 (http://marc.info?l=bugtraq&m=141450491804793&w=2)

SECUNIA-61313 (http://secunia.com/advisories/61313)

SECUNIA-61873 (http://secunia.com/advisories/61873)

SECUNIA-61485 (http://secunia.com/advisories/61485)

SECUNIA-60947 (http://secunia.com/advisories/60947)

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183

https://support.apple.com/kb/HT6535

HPSBST03154 (http://marc.info?l=bugtraq&m=141577297623641&w=2)

HPSBST03265 (http://marc.info?l=bugtraq&m=142546741516006&w=2)

http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272

HPSBGN03142 (http://marc.info?l=bugtraq&m=141383244821813&w=2)

SECUNIA-61312 (http://secunia.com/advisories/61312)

SECUNIA-60193 (http://secunia.com/advisories/60193)

http://www.vmware.com/security/advisories/VMSA-2014-0010.html

http://linux.oracle.com/errata/ELSA-2014-1294.html

SECUNIA-60063 (http://secunia.com/advisories/60063)

SECUNIA-60034 (http://secunia.com/advisories/60034)

HPSBMU03133 (http://marc.info?l=bugtraq&m=141330425327438&w=2)

SECUNIA-59907 (http://secunia.com/advisories/59907)

SECUNIA-58200 (http://secunia.com/advisories/58200)

HPSBST03181 (http://marc.info?l=bugtraq&m=141577241923505&w=2)

SECUNIA-61643 (http://secunia.com/advisories/61643)

http://www.novell.com/support/kb/doc.php?id=7015721

http://www-01.ibm.com/support/docview.wss?uid=swg21687079

SECUNIA-61503 (http://secunia.com/advisories/61503)

http://www-01.ibm.com/support/docview.wss?uid=swg21686246

http://rhn.redhat.com/errata/RHSA-2014-1354.html

EXPLOIT-DB-40938 (https://www.exploit-db.com/exploits/40938)

HPSBGN03117 (http://marc.info?l=bugtraq&m=141216207813411&w=2)

http://support.novell.com/security/cve/CVE-2014-6271.html

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915

SECUNIA-61547 (http://secunia.com/advisories/61547)

HPSBHF03145 (http://marc.info?l=bugtraq&m=141383465822787&w=2)

http://www.qnap.com/i/en/support/con_show.php?cid=61

HPSBST03148 (http://marc.info?l=bugtraq&m=141694386919794&w=2)

SECUNIA-61552 (http://secunia.com/advisories/61552)

SECUNIA-61780 (http://secunia.com/advisories/61780)

http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279

https://support.citrix.com/article/CTX200223

DSA-3032 (http://www.debian.org/security/2014/dsa-3032)

http://www-01.ibm.com/support/docview.wss?uid=swg21686447

SECUNIA-62228 (http://secunia.com/advisories/62228)

HPSBGN03138 (http://marc.info?l=bugtraq&m=141330468527613&w=2)

SECUNIA-61855 (http://secunia.com/advisories/61855)

HPSBHF03124 (http://marc.info?l=bugtraq&m=141235957116749&w=2)

SECUNIA-60044 (http://secunia.com/advisories/60044)

SECUNIA-61291 (http://secunia.com/advisories/61291)

http://rhn.redhat.com/errata/RHSA-2014-1294.html

HPSBHF03125 (http://marc.info?l=bugtraq&m=141345648114150&w=2)

SECUNIA-59737 (http://secunia.com/advisories/59737)

SECUNIA-61287 (http://secunia.com/advisories/61287)

HPSBHF03146 (http://marc.info?l=bugtraq&m=141383353622268&w=2)

https://bugzilla.redhat.com/show_bug.cgi?id=1141597

SECUNIA-61711 (http://secunia.com/advisories/61711)

http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361

HPSBGN03141 (http://marc.info?l=bugtraq&m=141383304022067&w=2)

http://advisories.mageia.org/MGASA-2014-0388.html

SECUNIA-61128 (http://secunia.com/advisories/61128)

https://support.citrix.com/article/CTX200217

SECUNIA-61471 (http://secunia.com/advisories/61471)

SECUNIA-60055 (http://secunia.com/advisories/60055)

20140926 GNU Bash Environmental Variable Command Injection Vulnerability (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash)

SECUNIA-61550 (http://secunia.com/advisories/61550)

SECUNIA-61633 (http://secunia.com/advisories/61633)

http://linux.oracle.com/errata/ELSA-2014-1293.html

http://www-01.ibm.com/support/docview.wss?uid=swg21686494

https://kb.bluecoat.com/index?page=content&id=SA82

SECUNIA-61328 (http://secunia.com/advisories/61328)

http://www-01.ibm.com/support/docview.wss?uid=swg21685733

EXPLOIT-DB-42938 (https://www.exploit-db.com/exploits/42938)

SECUNIA-61129 (http://secunia.com/advisories/61129)

SECUNIA-61700 (http://secunia.com/advisories/61700)

SECUNIA-61603 (http://secunia.com/advisories/61603)

SECUNIA-61857 (http://secunia.com/advisories/61857)

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879

EXPLOIT-DB-37816 (https://www.exploit-db.com/exploits/37816/)

HPSBMU03165 (http://marc.info/?l=bugtraq&m=141577137423233&w=2)

SSRT101816 (http://marc.info/?l=bugtraq&m=142719845423222&w=2)

EXPLOIT-DB-39918 (https://www.exploit-db.com/exploits/39918/)

HPSBHF03119 (http://marc.info/?l=bugtraq&m=141216668515282&w=2)

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

HPSBST03131 (http://marc.info/?l=bugtraq&m=141383138121313&w=2)

SSRT101819 (http://marc.info/?l=bugtraq&m=142721162228379&w=2)

HPSBMU03245 (http://marc.info/?l=bugtraq&m=142358026505815&w=2)

EXPLOIT-DB-40619 (https://www.exploit-db.com/exploits/40619/)

EXPLOIT-DB-38849 (https://www.exploit-db.com/exploits/38849/)

HPSBMU03143 (http://marc.info/?l=bugtraq&m=141383026420882&w=2)

HPSBMU03182 (http://marc.info/?l=bugtraq&m=141585637922673&w=2)

HPSBST03155 (http://marc.info/?l=bugtraq&m=141576728022234&w=2)

HPSBMU03246 (http://marc.info/?l=bugtraq&m=142358078406056&w=2)

HPSBST03195 (http://marc.info/?l=bugtraq&m=142805027510172&w=2)

SSRT101711 (http://marc.info/?l=bugtraq&m=142113462216480&w=2)

HPSBST03122 (http://marc.info/?l=bugtraq&m=141319209015420&w=2)

HPSBMU03217 (http://marc.info/?l=bugtraq&m=141879528318582&w=2)

SSRT101868 (http://marc.info/?l=bugtraq&m=142118135300698&w=2)

HPSBST03129 (http://marc.info/?l=bugtraq&m=141383196021590&w=2)

HPSBMU03144 (http://marc.info/?l=bugtraq&m=141383081521087&w=2)

EXPLOIT-DB-34879 (https://www.exploit-db.com/exploits/34879/)

https://www.suse.com/support/shellshock/

HPSBST03157 (http://marc.info/?l=bugtraq&m=141450491804793&w=2)

HPSBST03154 (http://marc.info/?l=bugtraq&m=141577297623641&w=2)

HPSBST03265 (http://marc.info/?l=bugtraq&m=142546741516006&w=2)

HPSBGN03142 (http://marc.info/?l=bugtraq&m=141383244821813&w=2)

HPSBMU03133 (http://marc.info/?l=bugtraq&m=141330425327438&w=2)

HPSBST03181 (http://marc.info/?l=bugtraq&m=141577241923505&w=2)

EXPLOIT-DB-40938 (https://www.exploit-db.com/exploits/40938/)

HPSBGN03117 (http://marc.info/?l=bugtraq&m=141216207813411&w=2)

HPSBHF03145 (http://marc.info/?l=bugtraq&m=141383465822787&w=2)

HPSBST03148 (http://marc.info/?l=bugtraq&m=141694386919794&w=2)

HPSBGN03138 (http://marc.info/?l=bugtraq&m=141330468527613&w=2)

HPSBHF03124 (http://marc.info/?l=bugtraq&m=141235957116749&w=2)

HPSBHF03125 (http://marc.info/?l=bugtraq&m=141345648114150&w=2)

HPSBHF03146 (http://marc.info/?l=bugtraq&m=141383353622268&w=2)

HPSBGN03141 (http://marc.info/?l=bugtraq&m=141383304022067&w=2)

EXPLOIT-DB-42938 (https://www.exploit-db.com/exploits/42938/)

Miscellaneous

http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html

http://packetstormsecurity.com/files/137376/IPFire-Bash-Environment-Variable-Injection-Shellshock.html

http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html

http://packetstormsecurity.com/files/128573/Apache-mod_cgi-Remote-Command-Execution.html

http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

http://packetstormsecurity.com/files/161107/SonicWall-SSL-VPN-Shellshock-Remote-Code-Execution.html

https://www.arista.com/en/support/advisories-notices/security-advisories/1008-security-advisory-0006

Rapid7

Technical Analysis