[LACNIC/Seguridad] Fwd: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
Fernando Gont
fernando en gont.com.ar
Jue Sep 25 16:50:46 BRT 2014
FYI
-------- Forwarded Message --------
Subject: TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
Vulnerability (CVE-2014-6271,CVE-2014-7169)
Date: Thu, 25 Sep 2014 14:10:57 -0500
From: US-CERT <US-CERT en ncas.us-cert.gov>
Reply-To: US-CERT en ncas.us-cert.gov
To: fernando en gont.com.ar
TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability
(CVE-2014-6271,CVE-2014-7169)
NCCIC / US-CERT
National Cyber Awareness System:
TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability
(CVE-2014-6271,CVE-2014-7169)
<https://www.us-cert.gov/ncas/alerts/TA14-268A>
09/25/2014 12:56 PM EDT
Original release date: September 25, 2014
Systems Affected
* GNU Bash through 4.3.
* Linux, BSD, and UNIX distributions including but not limited to:
o CentOS
<http://lists.centos.org/pipermail/centos/2014-September/146099.html>
5 through 7
o Debian
<https://lists.debian.org/debian-security-announce/2014/msg00220.html>
o Mac OS X
o Red Hat Enterprise Linux 4 through 7
o Ubuntu <http://www.ubuntu.com/usn/usn-2362-1/> 10.04 LTS, 12.04
LTS, and 14.04 LTS
Overview
A critical vulnerability has been reported in the GNU Bourne Again Shell
(Bash), the common command-line shell used in most Linux/UNIX operating
systems and Apple’s Mac OS X. The flaw could allow an attacker to
remotely execute shell commands by attaching malicious code in
environment variables used by the operating system [1]
<http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>.
The United States Department of Homeland Security (DHS) is releasing
this Technical Alert to provide further information about the GNU Bash
vulnerability.
Description
GNU Bash versions 1.14 through 4.3 contain a flaw that processes
commands placed after function definitions in the added environment
variable, allowing remote attackers to execute arbitrary code via a
crafted environment which enables network-based exploitation. [2
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>, 3
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>]
Critical instances where the vulnerability may be exposed include: [4
<https://access.redhat.com/security/cve/CVE-2014-6271>, 5
<http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>]
* Apache HTTP Server using mod_cgi or mod_cgid scripts either written
in bash, or spawn subshells.
* Override or Bypass ForceCommand feature in OpenSSH sshd and limited
protection for some Git and Subversion deployments used to restrict
shells and allows arbitrary command execution capabilities.
* Allow arbitrary commands to run on a DHCP client machine, various
Daemons and SUID/privileged programs.
* Exploit servers and other Unix and Linux devices via Web requests,
secure shell, telnet sessions, or other programs that use Bash to
execute scripts.
Impact
This vulnerability is classified by industry standards as “High” impact
with CVSS Impact Subscore 10 and “Low” on complexity, which means it
takes little skill to perform. This flaw allows attackers to provide
specially crafted environment variables containing arbitrary commands
that can be executed on vulnerable systems. It is especially dangerous
because of the prevalent use of the Bash shell and its ability to be
called by an application in numerous ways.
Solution
Patches have been released to fix this vulnerability by major Linux
vendors for affected versions. Solutions for CVE-2014-6271 do not
completely resolve the vulnerability. It is advised to install existing
patches and pay attention for updated patches to address CVE-2014-7169.
Many UNIX-like operating systems, including Linux distributions, BSD
variants, and Apple Mac OS X include Bash and are likely to be affected.
Contact your vendor for updated information. A list of vendors can be
found in CERT Vulnerability Note VU#252743
<http://www.kb.cert.org/vuls/id/252743> [6]
<http://www.kb.cert.org/vuls/id/252743>.
US-CERT recommends system administrators review the vendor patches and
the NIST Vulnerability Summary for CVE-2014-7169
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>, to
mitigate damage caused by the exploit.
References
* Ars Technica, Bug in Bash shell creates big security hole on
anything with *nix in it;
<http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
* DHS NCSD; Vulnerability Summary for CVE-2014-6271
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
* DHS NCSD; Vulnerability Summary for CVE-2014-7169
<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>
* Red Hat, CVE-2014-6271
<https://access.redhat.com/security/cve/CVE-2014-6271>
* Red Hat, Bash specially-crafted environment variables code injection
attack
<https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>
* CERT Vulnerability Note VU#252743
<http://www.kb.cert.org/vuls/id/252743>
Revision History
* September 25, 2014 - Initial Release
------------------------------------------------------------------------
This product is provided subject to this Notification
<http://www.us-cert.gov/privacy/notification> and this Privacy & Use
<http://www.us-cert.gov/privacy/> policy.
------------------------------------------------------------------------
OTHER RESOURCES:
Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
<http://www.us-cert.gov/security-publications> | Alerts and Tips
<http://www.us-cert.gov/ncas> | Related Resources
<http://www.us-cert.gov/related-resources>
STAY CONNECTED:
Sign up for email updates
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
SUBSCRIBER SERVICES:
Manage Preferences
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true> | Unsubscribe
<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.3401fc02ac14ed36b08029852a939882&destination=fernando@gont.com.ar> | Help
<https://subscriberhelp.govdelivery.com/>
------------------------------------------------------------------------
This email was sent to fernando en gont.com.ar using GovDelivery, on behalf
of: United States Computer Emergency Readiness Team (US-CERT) · 245
Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered
by GovDelivery <http://www.govdelivery.com/portals/powered-by>
--
Fernando Gont
e-mail: fernando en gont.com.ar || fgont en si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/seguridad/attachments/20140925/96d006e4/attachment.html>
Más información sobre la lista de distribución Seguridad