Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Bash Vulnerability Leaves Systems Open to Attack

A vulnerability (CVE-2014-6271) has been discovered in the GNU Bourne Again Shell (bash) that can be exploited to execute code.

A vulnerability (CVE-2014-6271) has been discovered in the GNU Bourne Again Shell (bash) that can be exploited to execute code.

The flaw was discovered by Stephane Chazelas, and is related to how bash evaluates specially-crafted environment variables.

A large number of programs on Linux and other UNIX systems use bash to set up environment variables that are then used while executing other programs, explained Jim Reavis, CEO of the Cloud Security Alliance (CSA).

“Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file,” he blogged. “In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.”

Patches are being rolled out from the major Linux distributors, including from Red Hat (Red Hat Enterprise Linux versions 4 through 7 and Fedora); CentOS versions 5 through 7; Debian and Ubuntu 10.04 LTS, 12.04 LTS and 14.04 LTS.

In Linux, environment variables provide a way to influence the behavior of software on the system, blogged Huzaifa Sidhpurwala, security engineer at Red Hat.

“The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background,” Sidhpurwala noted. “It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc). Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.”

The patch used to fix this flaw ensures no code is allowed after the end of a bash function, Sidhpurwala blogged.

Bash is a popular shell, and is available on other flavors of UNIX besides Linux, noted Garve Hays, solutions architect at NetIQ. The vulnerability, he added, could also have a “long tail” effect in that not all servers will get updated and will remain exposed.

Attackers can use this vulnerability to attack a variety of devices and web servers and take over the operating system, make changes or perform other actions, said Tod Beardsley, engineering manager at Rapid7.

“It’s rated a 10 for severity, meaning it has maximum impact, and “low” for complexity of exploitation – meaning it’s pretty easy for attackers to use it,” Beardsley said in a statement.

“The affected software, bash, is widely used so attackers can use this vulnerability to remotely execute a huge variety of devices and web servers,” he continued. 

“Anybody with systems using bash needs to deploy the patch immediately,” Beardsley said.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.