SB2014092405 - Command injection in bash (Alpine package)
Published: September 24, 2014 Updated: August 8, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Command injection (CVE-ID: CVE-2014-6271)
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to incorrect parsing of environment variables. A remote attacker can execute arbitrary code on the target system as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Successful exploitation may allow an attacker to gain complete control over vulnerable system.
Exploitation example:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Note: this vulnerability was being actively exploited in the wild.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=97da490163f2462899ff86143f9a9abc960e5269
- https://git.alpinelinux.org/aports/commit/?id=6d8b4b43edacc55a50dcdbcb2cbf6c5da00e8a31
- https://git.alpinelinux.org/aports/commit/?id=ad7e76b785a6fb778ab22473f0ec4ed78805a376
- https://git.alpinelinux.org/aports/commit/?id=0e3b7e96471caf6ae1e226e4413e5d7a2852ac0a
- https://git.alpinelinux.org/aports/commit/?id=07e6144b76bad51a8dfcfae1eade5b4571c534c3