NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Bash "Shellshock" Vulnerability - Retina Updates

September 25, 2014

  • Blog
  • Archive
A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If any trailing commands are appended to the assignment, bash will execute them. For example, consider the following environment variable assignment: VAR="() { echo 'test'; }" This assigns a shell function to the variable VAR (notice how the function definition is contained within open and closed braces {}). Now consider the next assignment: VAR="() { echo 'test'; }; chmod 666 /etc/shadow" This assignment has an additional command (; chmod 666 /etc/shadow) appended AFTER the function definition which will be executed when spawning a new instance of a vulnerable bash shell. The implications of this vulnerability are staggering considering that network-based remote exploitation is possible. The biggest attack vector would be HTTP requests to CGI scripts due to the fact that CGI will make heavy use of environment variables, when written in bash or when spawning subshells. Potential exploitable environment variables include REMOTE_HOST, HTTP_CUSTOM, and SERVER_PROTOCOL, where these can be manipulated into shell functions with arbitrary commands appended to them. OpenSSH is another potential attack vector when the AcceptEnv configuration setting is used. In this case, exploitable environment variables include TERM and SSH_ORIGINAL_COMMAND. Also, this vulnerability can potentially bypass command execution limits enforced by the ForceCommand configuration setting. Finally, many Linux / Unix daemons with SUID privileges may execute shell scripts where environment variables can be influenced by a user, opening the door for local exploitation and privilege escalation. Note: This vulnerability is not limited to Linux systems. Mac OS X includes a vulnerable version of bash which, as of this writing, Apple has not yet released a patch for. BeyondTrust is helping to combat this issue by supplying its customers with the following audit updates for Retina Vulnerability Management products as of audit release 2820: Generic: 31615 – Bash Remote Code Execution Vulnerability – CVE-2014-6271 35314 – Bash Remote Code Execution Vulnerability – CVE-2014-7169 33606 – Bash Remote Code Execution Vulnerability – CGI Remote ** Apple OS X: 33975 - Apple OS X bash Update 1.0 (HT6495) - Mavericks 35351 - Apple OS X bash Update 1.0 (HT6495) - Mountain Lion 35352 - Apple OS X bash Update 1.0 (HT6495) - Lion CentOS: 31428 – CESA-2014:1293 – bash security update 35304 – CESA-2014:1306 – bash security update Debian: 31425 – DSA-3032 – bash 35302 – DSA-3035 – bash Fedora: 31434 – FEDORA-2014-11503 – bash-4.2.47-2.fc19 35308 – FEDORA-2014-11514 – bash-4.2.48-2.fc19 35297 – FEDORA-2014-11360 – bash-4.2.47-4.fc20 35307 – FEDORA-2014-11527 – bash-4.2.48-2.fc20 FreeBSD: 35377 - FreeBSD - bash (71ad81da-4414-11e4-a33e-3c970e169bc2) 35379 - FreeBSD - bash (4a4e9f88-491c-11e4-ae2c-c80aa9043978) 35378 - FreeBSD - bash (512d1301-49b9-11e4-ae2c-c80aa9043978) Gentoo: 33681 – GLSA 201409-09 – bash 35303 – GLSA 201409-10 – bash Mandriva: 32375 – MDVSA-2014:186 – bash 35313 – MDVSA-2014:190 – bash Oracle Linux: 34280 – ELSA-2014-1293 – bash security update 35306 – ELSA-2014-1294 – bash security update 35305 – ELSA-2014-1306 – bash security update Red Hat Enterprise Linux: 35295 – RHSA-2014:1293 – bash security update 35309 – RHSA-2014:1294 – bash security update 34281 – RHSA-2014:1306 – bash security update 35322 – RHSA-2014:1311 – bash security update Scientific Linux: 32376 – SLSA-2014:1293 – bash security update 34936 – SLSA-2014:1306 – bash security update Slackware: 33684 – SSA:2014-267-01 – bash – 13.0 35310 – SSA:2014-268-01 / SSA:2014-268-02 – bash – 13.0 33683 – SSA:2014-267-01 – bash – 13.1/13.37 35311 – SSA:2014-268-01 / SSA:2014-268-02 – bash – 13.10/13.37 35296 – SSA:2014-267-01 – bash – 14.0/14.1 35312 – SSA:2014-268-01 / SSA:2014-268-02 – bash – 14.0/14.1 35348 – SSA:2014-272-01 – bash – 14.0/1 35349 – SSA:2014-272-01 – bash – 13.1/37 35350 – SSA:2014-272-01 – bash – 13.0 Solaris: 35316 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.2 (11.2.2.7.0) 35317 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.1 (IDR1401.2) 35323 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.1 (IDR1400.2) 35328 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 x86 (126547-06) 35329 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 SPARC (126546-06) 35331 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 x86 (149080-01) 35332 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 SPARC (149079-01) 35333 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 x86 (IDR151575-02) 35334 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 SPARC (IDR151576-02) 35335 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 11.2 (11.2.2.8.0) 35336 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 x86 (IDR151578-02) 35338 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 10 SPARC (IDR151577-02) 35339 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 x86 (IDR151574-02) 35340 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 9 SPARC (IDR151573-02) 35341 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 x86 (IDR151575-02) 35342 – Oracle Security Alert for CVE-2014-7169 Bash – Solaris 8 SPARC (IDR151576-02) SuSE: 35298 – SUSE-SU-2014:1212 – bash 35299 – SUSE-SU-2014:1213-1 – bash – server 10 35300 – SUSE-SU-2014:1213-1 – bash – server 11 35301 – SUSE-SU-2014:1214-1 – bash 35325 – openSUSE-SU-2014:1254 – bash 35320 – SUSE-SU-2014:1247 – bash – 11 35321 – SUSE-SU-2014:1247 – bash – 10 35355 - SUSE-SU-2014:1259-1 - bash Ubuntu: 31417 – USN-2362-1 – Bash vulnerability 35071 – USN-2363-1 – Bash vulnerability 35093 – USN-2364-1 – Bash vulnerability VMware: 35364 - VMSA-2014-0010: Multiple Products Bash Vulnerability - ESX 4.1 35365 - VMSA-2014-0010: Multiple Products Bash Vulnerability - ESX 4.0 35366 - VMSA-2014-0010: Multiple Products Bash Vulnerability - vC Appliance 35375 - VMSA-2014-0010: Multiple Products Bash Vulnerability - vC Log Insight Additional audits will be updated here as they are released. Please note that the above audits are covering the current set of "Shellshock" CVEs, which include CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278. ** Due to the nature of this vulnerability not every remote attack vector is able to be audited in an uncredentialed manner. We will continue to add any new capabilities we can that allow for auditing without credentials. This audit currently queries a few common CGI locations in order to determine if web based attack vectors might be possible. Revisions: 2014-10-03 @ 3:40 PM PT: Audits related to revision 2820 added. 2014-10-02 @ 9:50 AM PT: Audits related to revision 2819 added. 2014-09-29 @ 6:11 PM PT: Audits related to revision 2818 added. 2014-09-26 @ 5:04 PM PT: Audits related to revision 2817 added. 2014-09-26 @ 12:20 PM PT: Audits related to revision 2816 added. 2014-09-25 @ 10:19 PM PT: Audits related to revision 2815 added. 2014-09-24 @ 7:15 PM PT: Original post.
Photograph of Scott Lang

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.