GNU Bash up to and including 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote malicious users to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
gnu bash 1.14.3 |
||
gnu bash 1.14.5 |
||
gnu bash 2.02.1 |
||
gnu bash 2.04 |
||
gnu bash 3.0.16 |
||
gnu bash 3.2 |
||
gnu bash 1.14.0 |
||
gnu bash 1.14.1 |
||
gnu bash 2.05 |
||
gnu bash 3.0 |
||
gnu bash 1.14.7 |
||
gnu bash 2.0 |
||
gnu bash 2.01 |
||
gnu bash 2.01.1 |
||
gnu bash 4.0 |
||
gnu bash 4.1 |
||
gnu bash 4.2 |
||
gnu bash 1.14.2 |
||
gnu bash 1.14.4 |
||
gnu bash 1.14.6 |
||
gnu bash 2.02 |
||
gnu bash 2.03 |
||
gnu bash 3.1 |
||
gnu bash 3.2.48 |
||
gnu bash 4.3 |
PDF version In July we published our in-depth analysis into a targeted attack campaign that we dubbed ‘Crouching Yeti’. This campaign is also known as ‘Energetic Bear’. This campaign, which has been active since late 2010, has so far targeted the following sectors: industrial/machinery, manufacturing, pharmaceutical, construction, education and information technology. So far there have been more than 2,800 victims worldwide, and we have been able to identify 101 different organisatio...
It's 2014 and some people are still using default user names and passwords
Malware writers have crafted new wares to attack embedded devices running BusyBox and not yet patched against the ShellShock vulnerability, researcher Rhena Inocencio says. Miscreants' tool of choice for such attacks is malware called "Bashlite" that, once executed on a victim machine, probes for devices such as routers and Android phones running BusyBox to brute force logins through a preset list of usernames and passwords. Trend Micro's Inocencio said the variant would download and run bin.sh ...
'Okay we got it THIS time'
A third patch, from Red Hat engineer Florian Weimer, has been released for the vulnerable Bash Unix command-line interpreter, closing off flaws found in two previous fixes. Weimer's unofficial fix was adopted upstream by Bash project maintainer Chet Ramey and released as Bash-4.3 Official Patch 27 (bash43-027) which addressed a bunch of previously undisclosed flaws including two remote exploit bugs. The first patch (CVE-2014-6271) released Wednesday when the Shellshock flaw dropped was rapidly b...
CloudPassage points to 'pervasive' threat of Bash bug
The majority of Fortune 1000 and Global 2000 companies have already deployed, or are now deploying, Shellshock patches to fend off code attacks, according to cloud security firm CloudPassage. The Shellshock vulnerability allows remote attackers to execute arbitrary code on servers using a variety of techniques, with the CVE-2014-6271 weakness in the Bourne-Again Shell (Bash) affecting most Unix and Linux-based systems. "The Shellshock vulnerability is one of the most pervasive threats we’ve se...
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Oracle has confirmed that at least 32 of its products are affected by the vulnerability recently discovered in the Bash command-line interpreter – aka the "Shellshock" bug – including some of the company's pricey integrated hardware systems. The database giant issued a security alert regarding the issue on Friday, warning that many Oracle customers will have to wait awhile longer to receive patches. "Oracle is still investigating this issue and will provide fixes for affected products as soo...
Shortly after disclosure of the Bash bug called “Shellshock” we saw the first attempts by criminals to take advantage of this widespread vulnerability also known as CVE-2014-6271. The most recent attempts we see to gain control of webservers just create a new instance of bash and redirect it to a remote server listening on a specific TCP port. This is also known as a reverse-connect-shell. Here’s an example of how this attack appears in a webserver logfile: The attacker listens on IP ...
UK data watchdog rolls up its sleeves, polishes truncheon
Updated The UK's privacy watchdog is urging organisations to protect their systems against the infamous Shellshock vulnerability in Bash – even though the full scope of the security bug remains unclear. The Shellshock flaw affects Bash up to and including version 4.3. It's a vital component of many Linux and Unix systems, as well as networking kit and embedded devices. It's also present in the latest versions of Apple's OS X for Macs. The flaw allows hackers to execute arbitrary code smuggled ...
The “bash” vulnerability, actually described as CVE-2014-6271, is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. An attacker can simply execute system level commands, with the same privileges as the affected services. In most of the examples on the Internet right now, attackers are remotely attacking web servers hosting CGI scripts that have been written in bash or pass values to shell scripts. At the time of writing, the vulnerability...
Update your gear now to avoid early attacks hitting the web
Sysadmins and users have been urged to patch the severe Shellshock vulnerability in Bash on Linux and Unix systems – as hackers ruthlessly exploit the flaw to compromise or crash computers. But as "millions" of servers, PCs and devices lay vulnerable or are being updated, it's emerged the fix is incomplete. The flaw affects the GNU Bourne Again Shell – better known as Bash – which is a widely installed command interpreter used by many Linux and Unix operating systems – including Apple's ...
CGI scripts to DHCP clients hit by Heartbleed-grade remote-code exec vuln
Updated A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the internet at large. It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers. The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that u...