Patches are available for a command injection vulnerability in the Bourne again shell (bash). Bash is the common command-line used in most Linux/Unix-based operating systems and Apple’s Mac OS X, according to a report on ICS-CERT.
The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. Industrial control systems running embedded versions of Linux may not be field upgradeable and are of concern and may require alternate mitigation.
Patches released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. Users should install existing patches and pay attention for updated patches to address CVE-2014-7169.
Exploits that target this remotely exploitable vulnerability are publicly available.
As bash is a third-party component, asset owners, operators, and SCADA product developers should investigate the use of the affected versions of bash in their environments.
The following bash versions suffer from the issue:
GNU bash versions 1.14 to 4.3
- Linux, BSD, and UNIX distributions including but not limited to:
- Mac OS X
- Red Hat Enterprise
An exploit using this vulnerability could allow an attacker to remotely execute arbitrary commands.
This vulnerability has an industry classification as “High” impact, with CVSS Impact Subscore 10 and is “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can execute on vulnerable systems. It is especially dangerous because of the prevalent use of the bash shell and its ability to end up called by an application in numerous ways.
Bash is a command processor that allows users to type or input stored commands via a script. Originally written as a Unix shell by Brian Fox for the GNU project, it has become the default shell on Linux and Mac OS X. Various product adaptations have brought this shell to Microsoft (Cygwin and MinGW), DOS, Novell NetWare, and Android. Bash supports wildcards in file names, piping, variables, command substitution, and condition testing.
GNU bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment. OpenSSH, Apache HTTP Server, and DHCP clients could be particularly vulnerable.
CVE-2014-6271 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
There are several functional mitigations for this vulnerability including upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, and/or filtering inputs to vulnerable services.
Patches released to fix this vulnerability by major Linux vendors for affected versions; however, solutions for CVE-2014-6271 do not completely resolve the vulnerability. Users should install existing patches and pay attention for updated patches to address CVE-2014-7169.
Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include bash and are likely suffer from the issue.