New Zero-Day Exploit Alert

New Zero-Day Exploit Alert

CVE-2014-6271


Bash Code Injection Vulnerability via Specially Crafted Environment Variables(CVE-2014-6271)

A new zero-day vulnerability affecting all versions of Bash has recently been announced, known informally as “Shellshock”. This vulnerability (CVE-2014-6271) allows for unauthenticated remote code execution based upon how Bash processes trailing strings after function definitions when parsing the values of environment variables..

Support Information:

Novel-Suse: http://support.novell.com/security/cve/CVE-2014-6271.html
Debian: https://www.debian.org/security/2014/dsa-3032
Ubuntu: http://www.ubuntu.com/usn/usn-2362-1/
Redhat/Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271
Mageia: http://advisories.mageia.org/MGASA-2014-0388.html
CentOS: http://centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html

Additional Information can be found at:

https://access.redhat.com/articles/1200223

Recommendations:

  • Update Bash to the latest available version.

Systems Affected:

  • Most Linux, BSD and Unix-like systems.
  • Mac OS X
  • CGI scripts that are written in Bash or call out to system() where Bash is the default shell.
  • PHP applications running in CGI mode that call out to system() and where Bash is the default shell.
  • Web Applications written in PHP, Python, or Java are likely vulnerable if they use libcalls such as system() or popen() and Bash is the default shell.
  • dhclient – used to automatically obtain network configuration information via DHCP. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine in an administrative context.
  • CUPS is believed to be affected by this issue.

Alert Detection:

The Masergy Threat Intelligence Team currently has the following alerts to detect the exploitation of this vulnerability.

WEB:CVE-2014-6271-URI

Possible CVE-2014-6271 exploit attempt in HTTP URI. CVE-2014-6271 is a zero-day vulnerability in Bash that allows for unauthenticated remote code execution based upon how Bash processes trailing strings after function definitions in the values of environment variables. By sending a specially crafted HTTP request, an attacker can remotely execute code in a vulnerable web application.

WEB:CVE-2014-6271-HEAD

Possible CVE-2014-6271 exploit attempt in HTTP Headers. CVE-2014-6271 is a zero-day vulnerability in Bash that allows for unauthenticated remote code execution based upon how Bash processes trailing strings after function definitions in the values of environment variables. By sending a specially crafted HTTP request, an attacker can remotely execute code in a vulnerable web application.

WEB:CVE-2014-6271-BODY1

Possible CVE-2014-6271 exploit attempt in HTTP Client Body. CVE-2014-6271 is a zero-day vulnerability in Bash that allows for unauthenticated remote code execution based upon how Bash processes trailing strings after function definitions in the values of environment variables. By sending a specially crafted HTTP request, an attacker can remotely execute code in a vulnerable web application.

WEB:CVE-2014-6271-BODY2

Possible CVE-2014-6271 exploit attempt in HTTP Client Body. CVE-2014-6271 is a zero-day vulnerability in Bash that allows for unauthenticated remote code execution based upon how Bash processes trailing strings after function definitions in the values of environment variables. By sending a specially crafted HTTP request, an attacker can remotely execute code in a vulnerable web application.

WEB:CVE-2014-6271-VER

Possible CVE-2014-6271 exploit attempt in HTTP Version Number. CVE-2014-6271 is a zero-day vulnerability in Bash that allows for unauthenticated remote code execution based upon how Bash processes trailing strings after function definitions in the values of environment variables. By sending a specially crafted HTTP request, an attacker can remotely execute code in a vulnerable web application.

EXP:CVE-2014-6271-DHCP1

Possible CVE-2014-6271 exploit attempt in a malicious DHCP ACK packet with injection via DHCP Option 15. CVE-2014-6271 is a zero-day vulnerability in Bash that allows for unauthenticated remote code execution based upon how Bash processes trailing strings after function definitions in the values of environment variables. The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. An attacker could use a malicious DHCP server to run arbitrary code on the client machine under superuser context.

EXP:CVE-2014-6271-DHCP2

Possible CVE-2014-6271 exploit attempt in a malicious DHCP ACK packet with injection via DHCP Option 67. CVE-2014-6271 is a zero-day vulnerability in Bash that allows for unauthenticated remote code execution based upon how Bash processes trailing strings after function definitions in the values of environment variables. The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. An attacker could use a malicious DHCP server to run arbitrary code on the client machine under superuser context.

The Masergy Threat Intelligence Team will continue to release alerts for this vulnerability to all Masergy Unified Enterprise Security (UES) customers as they become available for IDS/IPS Detection + Prevention Modules (DPM). We will also update the Vulnerability Scanning Modules (VSM) with the capability to scan for this vulnerability as updates become available.

We've updated our privacy policy. We use cookies to improve the experience of our users, better understand how our website is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. You can read more and make cookie choices by visiting our privacy policy.