A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If any trailing commands are appended to the assignment, bash will execute them. For example, consider the following environment variable assignment: VAR="() { echo 'test'; }" This assigns a shell function to the variable VAR (notice how the function definition is contained within open and closed braces {}). Now consider the next assignment: VAR="() { echo 'test'; }; chmod 666 /etc/shadow" This assignment has an additional command (; chmod 666 /etc/shadow) appended AFTER the function definition which will be executed when spawning a new instance of a vulnerable bash shell. The implications of this vulnerability are staggering considering that network-based remote exploitation is possible. The biggest attack vector would be HTTP requests to CGI scripts due to the fact that CGI will make heavy use of environment variables, when written in bash or when spawning subshells. Potential exploitable environment variables include REMOTE_HOST, HTTP_CUSTOM, and SERVER_PROTOCOL, where these can be manipulated into shell functions with arbitrary commands appended to them. OpenSSH is another potential attack vector when the AcceptEnv configuration setting is used. In this case, exploitable environment variables include TERM and SSH_ORIGINAL_COMMAND. Also, this vulnerability can potentially bypass command execution limits enforced by the ForceCommand configuration setting. Finally, many Linux / Unix daemons with SUID privileges may execute shell scripts where environment variables can be influenced by a user, opening the door for local exploitation and privilege escalation. Note: This vulnerability is not limited to Linux systems. Mac OS X includes a vulnerable version of bash which, as of this writing, Apple has not yet released a patch for. BeyondTrust is helping to combat this issue by supplying its customers with the following audit updates for Retina Vulnerability Management products as of audit release 2820: Generic: 31615 – Bash Remote Code Execution Vulnerability – CVE-2014-6271 35314 – Bash Remote Code Execution Vulnerability – CVE-2014-7169 33606 – Bash Remote Code Execution Vulnerability – CGI Remote ** Apple OS X: 33975 - Apple OS X bash Update 1.0 (HT6495) - Mavericks 35351 - Apple OS X bash Update 1.0 (HT6495) - Mountain Lion 35352 - Apple OS X bash Update 1.0 (HT6495) - Lion CentOS: 31428 – CESA-2014:1293 – bash security update 35304 – CESA-2014:1306 – bash security update Debian: 31425 – DSA-3032 – bash 35302 – DSA-3035 – bash Fedora: 31434 – FEDORA-2014-11503 – bash-4.2.47-2.fc19 35308 – FEDORA-2014-11514 – bash-4.2.48-2.fc19 35297 – FEDORA-2014-11360 – bash-4.2.47-4.fc20 35307 – FEDORA-2014-11527 – bash-4.2.48-2.fc20 FreeBSD: 35377 - FreeBSD - bash (71ad81da-4414-11e4-a33e-3c970e169bc2) 35379 - FreeBSD - bash (4a4e9f88-491c-11e4-ae2c-c80aa9043978) 35378 - FreeBSD - bash (512d1301-49b9-11e4-ae2c-c80aa9043978) Gentoo: 33681 – GLSA 201409-09 – bash 35303 – GLSA 201409-10 – bash Mandriva: 32375 – MDVSA-2014:186 – bash 35313 – MDVSA-2014:190 – bash Oracle Linux: 34280 – ELSA-2014-1293 – bash security update 35306 – ELSA-2014-1294 – bash security update 35305 – ELSA-2014-1306 – bash security update Red Hat Enterprise Linux: 35295 – RHSA-2014:1293 – bash security update 35309 – RHSA-2014:1294 – bash security update 34281 – RHSA-2014:1306 – bash security update 35322 – RHSA-2014:1311 – bash security update Scientific Linux: 32376 – SLSA-2014:1293 – bash security update 34936 – SLSA-2014:1306 – bash security update Slackware: 33684 – SSA:2014-267-01 – bash – 13.0 35310 – SSA:2014-268-01 / SSA:2014-268-02 – bash – 13.0 33683 – SSA:2014-267-01 – bash – 13.1/13.37 35311 – SSA:2014-268-01 / SSA:2014-268-02 – bash – 13.10/13.37 35296 – SSA:2014-267-01 – bash – 14.0/14.1 35312 – SSA:2014-268-01 / SSA:2014-268-02 – bash – 14.0/14.1 35348 – SSA:2014-272-01 – bash – 14.0/1 35349 – SSA:2014-272-01 – bash – 13.1/37 35350 – SSA:2014-272-01 – bash – 13.0 Solaris: 35316 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.2 (11.2.2.7.0) 35317 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.1 (IDR1401.2) 35323 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.1 (IDR1400.2) 35328 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 x86 (126547-06) 35329 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 SPARC (126546-06) 35331 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 x86 (149080-01) 35332 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 SPARC (149079-01) 35333 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 x86 (IDR151575-02) 35334 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 SPARC (IDR151576-02) 35335 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.2 (11.2.2.8.0) 35336 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 x86 (IDR151578-02) 35338 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 SPARC (IDR151577-02) 35339 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 x86 (IDR151574-02) 35340 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 SPARC (IDR151573-02) 35341 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 x86 (IDR151575-02) 35342 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 SPARC (IDR151576-02) SuSE: 35298 – SUSE-SU-2014:1212 – bash 35299 – SUSE-SU-2014:1213-1 – bash – server 10 35300 – SUSE-SU-2014:1213-1 – bash – server 11 35301 – SUSE-SU-2014:1214-1 – bash 35325 – openSUSE-SU-2014:1254 – bash 35320 – SUSE-SU-2014:1247 – bash – 11 35321 – SUSE-SU-2014:1247 – bash – 10 35355 - SUSE-SU-2014:1259-1 - bash Ubuntu: 31417 – USN-2362-1 – Bash vulnerability 35071 – USN-2363-1 – Bash vulnerability 35093 – USN-2364-1 – Bash vulnerability VMware: 35364 - VMSA-2014-0010: Multiple Products Bash Vulnerability - ESX 4.1 35365 - VMSA-2014-0010: Multiple Products Bash Vulnerability - ESX 4.0 35366 - VMSA-2014-0010: Multiple Products Bash Vulnerability - vC Appliance 35375 - VMSA-2014-0010: Multiple Products Bash Vulnerability - vC Log Insight Additional audits will be updated here as they are released. Please note that the above audits are covering the current set of "Shellshock" CVEs, which include CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278. ** Due to the nature of this vulnerability not every remote attack vector is able to be audited in an uncredentialed manner. We will continue to add any new capabilities we can that allow for auditing without credentials. This audit currently queries a few common CGI locations in order to determine if web based attack vectors might be possible. Revisions: 2014-10-03 @ 3:40 PM PT: Audits related to revision 2820 added. 2014-10-02 @ 9:50 AM PT: Audits related to revision 2819 added. 2014-09-29 @ 6:11 PM PT: Audits related to revision 2818 added. 2014-09-26 @ 5:04 PM PT: Audits related to revision 2817 added. 2014-09-26 @ 12:20 PM PT: Audits related to revision 2816 added. 2014-09-25 @ 10:19 PM PT: Audits related to revision 2815 added. 2014-09-24 @ 7:15 PM PT: Original post.