A bug in GNU Bash affecting all versions through to 4.3 allowing remote code execution (RCE) on all vulnerable flavours of *NIX. The vulnerability allows the attacker to execute arbitrary code on a remote system via a crafted environment variables.
CVSS v2 Base Score: 10.0 (HIGH)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required
Impact Type: Allows unauthorised disclosure of information; Allows unauthorised modification; Allows unauthorised disruption of service
Update – 2014.09.29 22:34 UTC
Update – 2014.09.26 19:00 UTC
The following statement was released by Apple on Friday, “OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services, we are working to quickly provide a software update for our advanced UNIX users.”
Update – 2014.09.26 09:20 UTC
First signs of serious offenders using the bash bug, next 12 hours record backdoors, bots, casual system break-ins and data breach scripts. These attacks seem to originate from Russia, USA, China, South Korea (day forward advantage), Turkey. Time to watch out for high impact payloads.
Update – 2014.09.26 05.30 UTC
Patches released on Wednesday by the upstream maintainer of Bash, Linux vendors and others for OS X, blocked these early attacks, but it’s now understood they do not completely protect Bash from code injection via environment variables.
Update – 2014.09.26 02:30 UTC
Fedora has also released a patched version of Bash that fixes CVE-2014-7169. Additional information can be found on Fedora Magazine.
Update – 2014.09.26 02:10 UTC
Red Hat has released patched versions of Bash that fix CVE-2014-7169. Information regarding these updates can be found in the errata. All customers are strongly encouraged to apply the update as this flaw is being actively attacked in the wild.
Update – 2014.09.25 18:00 UTC
CNAM – released custom detection signatures and the related correlation modules to detect the event. All injections into the environment variable via known channels are being monitored using DPI modules.
Update – 2014.09.25 16:00 UTC
Red Hat is aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.
Please note that while CVE-2014-6271 has been patched, CVE-2014-7169 isn’t. A fix is still pending.
Update – 2014.09.24
Bug reported in GNU Bash affecting all versions to 4.3 [link]
© 2015-2016 All Rights Reserved. NETMONASTERY™ and CNAM™ is a registered trademark of NETMONASTERY NSPL.