<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
FYI<br>
<div class="moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
</th>
<td>TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
Vulnerability (CVE-2014-6271,CVE-2014-7169)</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
<td>Thu, 25 Sep 2014 14:10:57 -0500</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
<td>US-CERT <a class="moz-txt-link-rfc2396E" href="mailto:US-CERT@ncas.us-cert.gov"><US-CERT@ncas.us-cert.gov></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Reply-To:
</th>
<td><a class="moz-txt-link-abbreviated" href="mailto:US-CERT@ncas.us-cert.gov">US-CERT@ncas.us-cert.gov</a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:fernando@gont.com.ar">fernando@gont.com.ar</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<title> TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’
Vulnerability (CVE-2014-6271,CVE-2014-7169)
</title>
<table border="0" cellpadding="0" cellspacing="0" align="center"
width="700">
<tbody>
<tr>
<td>
<p><img moz-do-not-send="true"
src="https://public.govdelivery.com/system/images/37745/original/BANNER_NCCIC_USC_01.png"
alt="NCCIC / US-CERT" height="100" width="700"></p>
<p>National Cyber Awareness System:</p>
<div class="rss_item" style="margin-bottom: 2em;">
<div class="rss_title" style="font-weight: bold;
font-size: 120%; margin: 0 0 0.3em; padding: 0;"><a
moz-do-not-send="true"
href="https://www.us-cert.gov/ncas/alerts/TA14-268A">TA14-268A:
GNU Bourne Again Shell (Bash) ‘Shellshock’
Vulnerability (CVE-2014-6271,CVE-2014-7169)</a></div>
<div class="rss_pub_date" style="font-size: 90%;
font-style: italic; color: #666666; margin: 0 0 0.3em;
padding: 0;">09/25/2014 12:56 PM EDT</div>
<br>
<div class="rss_description" style="margin: 0 0 0.3em;
padding: 0;">Original release date: September 25, 2014<br>
<h3>Systems Affected</h3>
<ul>
<li>GNU Bash through 4.3.</li>
<li>Linux, BSD, and UNIX distributions including but
not limited to:
<ul>
<li><a moz-do-not-send="true"
href="http://lists.centos.org/pipermail/centos/2014-September/146099.html">CentOS</a>
5 through 7</li>
<li><a moz-do-not-send="true"
href="https://lists.debian.org/debian-security-announce/2014/msg00220.html">Debian</a></li>
<li>Mac OS X</li>
<li>Red Hat Enterprise Linux 4 through 7</li>
<li><a moz-do-not-send="true"
href="http://www.ubuntu.com/usn/usn-2362-1/">Ubuntu</a>
10.04 LTS, 12.04 LTS, and 14.04 LTS</li>
</ul>
</li>
</ul>
<h3>Overview</h3>
<p>A critical vulnerability has been reported in the
GNU Bourne Again Shell (Bash), the common
command-line shell used in most Linux/UNIX operating
systems and Apple’s Mac OS X. The flaw could allow
an attacker to remotely execute shell commands by
attaching malicious code in environment variables
used by the operating system <a
moz-do-not-send="true"
href="http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/">[1]</a>.
The United States Department of Homeland Security
(DHS) is releasing this Technical Alert to provide
further information about the GNU Bash
vulnerability.</p>
<h3>Description</h3>
<p>GNU Bash versions 1.14 through 4.3 contain a flaw
that processes commands placed after function
definitions in the added environment variable,
allowing remote attackers to execute arbitrary code
via a crafted environment which enables
network-based exploitation. [<a
moz-do-not-send="true"
href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">2</a>,
<a moz-do-not-send="true"
href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169">3</a>]</p>
<p>Critical instances where the vulnerability may be
exposed include: [<a moz-do-not-send="true"
href="https://access.redhat.com/security/cve/CVE-2014-6271"><span
style="color: #0000ee;"><span
style="text-decoration: underline;">4</span></span></a>,
<a moz-do-not-send="true"
href="http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/">5</a>]</p>
<ul>
<li>Apache HTTP Server using mod_cgi or mod_cgid
scripts either written in bash, or spawn
subshells.</li>
<li>Override or Bypass ForceCommand feature in
OpenSSH sshd and limited protection for some Git
and Subversion deployments used to restrict shells
and allows arbitrary command execution
capabilities.</li>
<li>Allow arbitrary commands to run on a DHCP client
machine, various Daemons and SUID/privileged
programs.</li>
<li>Exploit servers and other Unix and Linux devices
via Web requests, secure shell, telnet sessions,
or other programs that use Bash to execute
scripts.</li>
</ul>
<h3>Impact</h3>
<p>This vulnerability is classified by industry
standards as “High” impact with CVSS Impact Subscore
10 and “Low” on complexity, which means it takes
little skill to perform. This flaw allows attackers
to provide specially crafted environment variables
containing arbitrary commands that can be executed
on vulnerable systems. It is especially dangerous
because of the prevalent use of the Bash shell and
its ability to be called by an application in
numerous ways.</p>
<h3>Solution</h3>
<p>Patches have been released to fix this
vulnerability by major Linux vendors for affected
versions. Solutions for CVE-2014-6271 do not
completely resolve the vulnerability. It is advised
to install existing patches and pay attention for
updated patches to address CVE-2014-7169.</p>
<p>Many UNIX-like operating systems, including Linux
distributions, BSD variants, and Apple Mac OS X
include Bash and are likely to be affected. Contact
your vendor for updated information. A list of
vendors can be found in CERT Vulnerability Note <a
moz-do-not-send="true"
href="http://www.kb.cert.org/vuls/id/252743">VU#252743</a>
<a moz-do-not-send="true"
href="http://www.kb.cert.org/vuls/id/252743">[6]</a>.</p>
<p>US-CERT recommends system administrators review the
vendor patches and the NIST Vulnerability Summary
for <a moz-do-not-send="true"
href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169">CVE-2014-7169</a>,
to mitigate damage caused by the exploit.</p>
<h3>References</h3>
<ul>
<li><a moz-do-not-send="true"
href="http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/">Ars
Technica, Bug in Bash shell creates big security
hole on anything with *nix in it; </a></li>
<li><a moz-do-not-send="true"
href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">DHS
NCSD; Vulnerability Summary for CVE-2014-6271</a></li>
<li><a moz-do-not-send="true"
href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169">DHS
NCSD; Vulnerability Summary for CVE-2014-7169</a></li>
<li><a moz-do-not-send="true"
href="https://access.redhat.com/security/cve/CVE-2014-6271">Red
Hat, CVE-2014-6271 </a></li>
<li><a moz-do-not-send="true"
href="https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/">Red
Hat, Bash specially-crafted environment
variables code injection attack</a></li>
<li><a moz-do-not-send="true"
href="http://www.kb.cert.org/vuls/id/252743">CERT
Vulnerability Note VU#252743</a></li>
</ul>
<h3>Revision History</h3>
<ul>
<li>September 25, 2014 - Initial Release</li>
</ul>
<hr>
<p>This product is provided subject to this <a
moz-do-not-send="true"
href="http://www.us-cert.gov/privacy/notification">Notification</a>
and this <a moz-do-not-send="true"
href="http://www.us-cert.gov/privacy/">Privacy
& Use</a> policy.</p>
</div>
</div>
<div id="mail_footer">
<hr>
<table style="width: 400px;" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<td style="color: #666666; font-family: Arial,
sans-serif; font-size: 12px;" height="24"
valign="bottom">OTHER RESOURCES:</td>
</tr>
<tr>
<td style="color: #666666; font-family: Arial,
sans-serif; font-size: 12px;" height="24"
valign="middle"><a moz-do-not-send="true"
href="http://www.us-cert.gov/contact-us/"
target="_blank">Contact Us</a> | <a
moz-do-not-send="true"
href="http://www.us-cert.gov/security-publications"
target="_blank">Security Publications</a> | <a
moz-do-not-send="true"
href="http://www.us-cert.gov/ncas"
target="_blank">Alerts and Tips</a> | <a
moz-do-not-send="true"
href="http://www.us-cert.gov/related-resources"
target="_blank">Related Resources</a></td>
</tr>
</tbody>
</table>
<table style="width: 150px;" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<td style="color: #666666; font-family: Arial,
sans-serif; font-size: 12px;" colspan="7"
height="24" valign="bottom">STAY CONNECTED:</td>
</tr>
<tr>
<td width="41"><a moz-do-not-send="true"
href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new"><img
moz-do-not-send="true"
src="https://service.govdelivery.com/banners/GOVDELIVERY/SOCIAL_MEDIA/envelope.gif"
alt="Sign up for email updates" border="0"
height="25" width="25"></a></td>
</tr>
</tbody>
</table>
<p style="color: #666666; font-family: Arial,
sans-serif; font-size: 12px;">SUBSCRIBER SERVICES:<br>
<a moz-do-not-send="true"
href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true"
target="_blank">Manage Preferences</a> | <a
moz-do-not-send="true"
href="https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.3401fc02ac14ed36b08029852a939882&destination=fernando@gont.com.ar"
target="_blank">Unsubscribe</a> | <a
moz-do-not-send="true"
href="https://subscriberhelp.govdelivery.com/">Help</a></p>
</div>
<div id="tagline">
<hr>
<table style="width: 100%;" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<td style="color: gray; font-size: 10px;
font-family: Arial;" width="89%">This email was
sent to <a class="moz-txt-link-abbreviated" href="mailto:fernando@gont.com.ar">fernando@gont.com.ar</a> using GovDelivery,
on behalf of: United States Computer Emergency
Readiness Team (US-CERT) · 245 Murray Lane SW
Bldg 410 · Washington, DC 20598 · (703) 235-5110</td>
<td align="right" width="11%"><a
moz-do-not-send="true"
href="http://www.govdelivery.com/portals/powered-by"
target="_blank"><img moz-do-not-send="true"
src="https://service.govdelivery.com/banners/GOVDELIVERY/logo_gd_poweredby.gif"
alt="Powered by GovDelivery" border="0"
height="35" width="115"></a></td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</tbody>
</table>
<br>
<pre class="moz-signature" cols="72">--
Fernando Gont
e-mail: <a class="moz-txt-link-abbreviated" href="mailto:fernando@gont.com.ar">fernando@gont.com.ar</a> || <a class="moz-txt-link-abbreviated" href="mailto:fgont@si6networks.com">fgont@si6networks.com</a>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
</pre>
<br>
</div>
<br>
</body>
</html>