NVD - Detail

National Cyber Awareness System

Vulnerability Summary for CVE-2014-7169

Original release date: 09/24/2014

Last revised: 01/06/2017

Source: US-CERT/NIST

Modified

This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.

Overview

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score: 10.0 HIGH

Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: SUSE

Name: openSUSE-SU-2014:1229

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00038.html

External Source: HP

Name: HPSBST03181

Hyperlink: http://marc.info/?l=bugtraq&m=141577241923505&w=2

External Source: CONFIRM

Name: http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html

Hyperlink: http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html

External Source: CONFIRM

Name: http://support.novell.com/security/cve/CVE-2014-7169.html

Hyperlink: http://support.novell.com/security/cve/CVE-2014-7169.html

External Source: HP

Name: HPSBHF03119

Hyperlink: http://marc.info/?l=bugtraq&m=141216668515282&w=2

External Source: MLIST

Name: [oss-security] 20140924 Re: CVE-2014-6271: remote code execution through bash

Hyperlink: http://www.openwall.com/lists/oss-security/2014/09/24/32

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879

External Source: CONFIRM

Name: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315

Hyperlink: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315

External Source: SUSE

Name: SUSE-SU-2014:1259

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00048.html

External Source: CONFIRM

Name: https://kc.mcafee.com/corporate/index?page=content&id=SB10085

Hyperlink: https://kc.mcafee.com/corporate/index?page=content&id=SB10085

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21685733

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21685733

External Source: HP

Name: HPSBST03195

Hyperlink: http://marc.info/?l=bugtraq&m=142805027510172&w=2

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21685541

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21685541

External Source: CONFIRM

Name: http://www.novell.com/support/kb/doc.php?id=7015721

Hyperlink: http://www.novell.com/support/kb/doc.php?id=7015721

External Source: UBUNTU

Name: USN-2363-2

Hyperlink: http://www.ubuntu.com/usn/USN-2363-2

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21686445

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21686445

External Source: SUSE

Name: SUSE-SU-2014:1247

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00042.html

External Source: HP

Name: HPSBMU03133

Hyperlink: http://marc.info/?l=bugtraq&m=141330425327438&w=2

External Source: CONFIRM

Name: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648

Hyperlink: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648

External Source: CONFIRM

Name: http://www.vmware.com/security/advisories/VMSA-2014-0010.html

Hyperlink: http://www.vmware.com/security/advisories/VMSA-2014-0010.html

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898

External Source: CONFIRM

Name: http://linux.oracle.com/errata/ELSA-2014-1306.html

Hyperlink: http://linux.oracle.com/errata/ELSA-2014-1306.html

External Source: CISCO

Name: 20140926 GNU Bash Environmental Variable Command Injection Vulnerability

Hyperlink: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

External Source: CONFIRM

Name: http://advisories.mageia.org/MGASA-2014-0393.html

Hyperlink: http://advisories.mageia.org/MGASA-2014-0393.html

External Source: HP

Name: HPSBMU03143

Hyperlink: http://marc.info/?l=bugtraq&m=141383026420882&w=2

External Source: SUSE

Name: openSUSE-SU-2014:1242

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00041.html

External Source: REDHAT

Name: RHSA-2014:1354

Hyperlink: http://rhn.redhat.com/errata/RHSA-2014-1354.html

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21686084

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21686084

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21686131

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21686131

External Source: HP

Name: HPSBST03157

Hyperlink: http://marc.info/?l=bugtraq&m=141450491804793&w=2

External Source: MANDRIVA

Name: MDVSA-2015:164

Hyperlink: http://www.mandriva.com/security/advisories?name=MDVSA-2015:164

External Source: SUSE

Name: openSUSE-SU-2014:1308

Hyperlink: http://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915

External Source: HP

Name: SSRT101742

Hyperlink: http://marc.info/?l=bugtraq&m=142358026505815&w=2

External Source: CONFIRM

Name: http://www.qnap.com/i/en/support/con_show.php?cid=61

Hyperlink: http://www.qnap.com/i/en/support/con_show.php?cid=61

External Source: HP

Name: HPSBST03122

Hyperlink: http://marc.info/?l=bugtraq&m=141319209015420&w=2

External Source: SUSE

Name: SUSE-SU-2014:1287

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html

External Source: CONFIRM

Name: https://access.redhat.com/articles/1200223

Hyperlink: https://access.redhat.com/articles/1200223

External Source: HP

Name: SSRT101711

Hyperlink: http://marc.info/?l=bugtraq&m=142113462216480&w=2

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21685749

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21685749

External Source: CONFIRM

Name: https://kb.bluecoat.com/index?page=content&id=SA82

Hyperlink: https://kb.bluecoat.com/index?page=content&id=SA82

External Source: HP

Name: HPSBHF03124

Hyperlink: http://marc.info/?l=bugtraq&m=141235957116749&w=2

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21687079

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21687079

External Source: HP

Name: HPSBGN03117

Hyperlink: http://marc.info/?l=bugtraq&m=141216207813411&w=2

External Source: CONFIRM

Name: http://linux.oracle.com/errata/ELSA-2014-3075.html

Hyperlink: http://linux.oracle.com/errata/ELSA-2014-3075.html

External Source: HP

Name: HPSBMU03165

Hyperlink: http://marc.info/?l=bugtraq&m=141577137423233&w=2

External Source: CONFIRM

Name: https://support.apple.com/kb/HT6535

Hyperlink: https://support.apple.com/kb/HT6535

External Source: HP

Name: SSRT101868

Hyperlink: http://marc.info/?l=bugtraq&m=142118135300698&w=2

External Source: FULLDISC

Name: 20141001 FW: NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities

Hyperlink: http://seclists.org/fulldisclosure/2014/Oct/0

External Source: CONFIRM

Name: http://support.apple.com/kb/HT6495

Hyperlink: http://support.apple.com/kb/HT6495

External Source: CONFIRM

Name: https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html

Hyperlink: https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html

External Source: HP

Name: HPSBST03154

Hyperlink: http://marc.info/?l=bugtraq&m=141577297623641&w=2

External Source: SECUNIA

Name: 62228

Hyperlink: http://secunia.com/advisories/62228

External Source: JVNDB

Name: JVNDB-2014-000126

Hyperlink: http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21686447

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21686447

External Source: SECUNIA

Name: 59272

Hyperlink: http://secunia.com/advisories/59272

External Source: HP

Name: HPSBST03131

Hyperlink: http://marc.info/?l=bugtraq&m=141383138121313&w=2

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897

External Source: HP

Name: HPSBGN03142

Hyperlink: http://marc.info/?l=bugtraq&m=141383244821813&w=2

External Source: HP

Name: HPSBST03155

Hyperlink: http://marc.info/?l=bugtraq&m=141576728022234&w=2

External Source: CONFIRM

Name: https://www.suse.com/support/shellshock/

Hyperlink: https://www.suse.com/support/shellshock/

External Source: HP

Name: HPSBGN03141

Hyperlink: http://marc.info/?l=bugtraq&m=141383304022067&w=2

External Source: SUSE

Name: openSUSE-SU-2014:1310

Hyperlink: http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html

External Source: CONFIRM

Name: https://support.citrix.com/article/CTX200223

Hyperlink: https://support.citrix.com/article/CTX200223

External Source: HP

Name: HPSBHF03146

Hyperlink: http://marc.info/?l=bugtraq&m=141383353622268&w=2

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21685914

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21685914

External Source: HP

Name: HPSBGN03138

Hyperlink: http://marc.info/?l=bugtraq&m=141330468527613&w=2

External Source: HP

Name: SSRT101819

Hyperlink: http://marc.info/?l=bugtraq&m=142721162228379&w=2

External Source: UBUNTU

Name: USN-2363-1

Hyperlink: http://www.ubuntu.com/usn/USN-2363-1

External Source: CERT-VN

Name: VU#252743

Type: US Government Resource

Hyperlink: http://www.kb.cert.org/vuls/id/252743

External Source: BUGTRAQ

Name: 20141001 NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities

Hyperlink: http://www.securityfocus.com/archive/1/archive/1/533593/100/0/threaded

External Source: HP

Name: HPSBMU03246

Hyperlink: http://marc.info/?l=bugtraq&m=142358078406056&w=2

External Source: HP

Name: HPSBHF03145

Hyperlink: http://marc.info/?l=bugtraq&m=141383465822787&w=2

External Source: HP

Name: HPSBMU03182

Hyperlink: http://marc.info/?l=bugtraq&m=141585637922673&w=2

External Source: SUSE

Name: openSUSE-SU-2014:1254

Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html

External Source: HP

Name: HPSBST03129

Hyperlink: http://marc.info/?l=bugtraq&m=141383196021590&w=2

External Source: MISC

Name: http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html

Hyperlink: http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html

External Source: APPLE

Name: APPLE-SA-2014-10-16-1

Hyperlink: http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21685604

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21685604

External Source: HP

Name: HPSBHF03125

Hyperlink: http://marc.info/?l=bugtraq&m=141345648114150&w=2

External Source: HP

Name: HPSBMU03144

Hyperlink: http://marc.info/?l=bugtraq&m=141383081521087&w=2

External Source: REDHAT

Name: RHSA-2014:1311

Hyperlink: http://rhn.redhat.com/errata/RHSA-2014-1311.html

External Source: DEBIAN

Name: DSA-3035

Hyperlink: http://www.debian.org/security/2014/dsa-3035

External Source: CONFIRM

Name: https://access.redhat.com/node/1200223

Hyperlink: https://access.redhat.com/node/1200223

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361

External Source: MISC

Name: http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html

Hyperlink: http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html

External Source: CONFIRM

Name: http://www.novell.com/support/kb/doc.php?id=7015701

Hyperlink: http://www.novell.com/support/kb/doc.php?id=7015701

External Source: HP

Name: SSRT101827

Hyperlink: http://marc.info/?l=bugtraq&m=141879528318582&w=2

External Source: JVN

Name: JVN#55667175

Hyperlink: http://jvn.jp/en/jp/JVN55667175/index.html

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21686479

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21686479

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21686494

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21686494

External Source: CERT

Name: TA14-268A

Type: US Government Resource

Hyperlink: http://www.us-cert.gov/ncas/alerts/TA14-268A

External Source: CONFIRM

Name: https://support.citrix.com/article/CTX200217

Hyperlink: https://support.citrix.com/article/CTX200217

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279

External Source: MISC

Name: http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

Hyperlink: http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

External Source: CONFIRM

Name: http://linux.oracle.com/errata/ELSA-2014-3077.html

Hyperlink: http://linux.oracle.com/errata/ELSA-2014-3077.html

External Source: CONFIRM

Name: http://linux.oracle.com/errata/ELSA-2014-3078.html

Hyperlink: http://linux.oracle.com/errata/ELSA-2014-3078.html

External Source: REDHAT

Name: RHSA-2014:1312

Hyperlink: http://rhn.redhat.com/errata/RHSA-2014-1312.html

External Source: HP

Name: HPSBST03148

Hyperlink: http://marc.info/?l=bugtraq&m=141694386919794&w=2

External Source: CONFIRM

Name: http://www-01.ibm.com/support/docview.wss?uid=swg21686246

Hyperlink: http://www-01.ibm.com/support/docview.wss?uid=swg21686246

External Source: REDHAT

Name: RHSA-2014:1306

Hyperlink: http://rhn.redhat.com/errata/RHSA-2014-1306.html

External Source: MISC

Name: http://twitter.com/taviso/statuses/514887394294652929

Hyperlink: http://twitter.com/taviso/statuses/514887394294652929

External Source: CONFIRM

Name: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts

Hyperlink: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts

Vulnerable software and versions

* Denotes Vulnerable Software
Changes related to vulnerability configurations

Technical Details

Vulnerability Type (View All)

OS Command Injections (CWE-78)

CVE Standard Vulnerability Entry http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

Change History 12 change records found - show changes

CVE Modified by MITRE - 1/6/2017 10:00:30 PM
Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/node/1200223 [No Types Assigned]
Added	Reference		http://secunia.com/advisories/59272 [No Types Assigned]

CVE Modified by MITRE - 1/2/2017 9:59:11 PM
Action	Type	Old Value	New Value
Added	Reference		http://secunia.com/advisories/62228 [No Types Assigned]
Added	Reference		https://kc.mcafee.com/corporate/index?page=content&id=SB10085 [No Types Assigned]

CVE Modified by Source - 5/11/2015 10:01:47 PM
Action	Type	Old Value	New Value
Added	Reference		https://access.redhat.com/articles/1200223
Added	Reference		http://advisories.mageia.org/MGASA-2014-0393.html
Added	Reference		http://www.mandriva.com/security/advisories?name=MDVSA-2015:164

CVE Modified by Source - 4/9/2015 9:59:37 PM
Action	Type	Old Value	New Value
Added	Reference		http://marc.info/?l=bugtraq&m=142805027510172&w=2

CVE Modified by Source - 3/26/2015 9:59:33 PM
Action	Type	Old Value	New Value
Added	Reference		http://marc.info/?l=bugtraq&m=142721162228379&w=2

CVE Modified by Source - 3/17/2015 10:02:27 PM
Action	Type	Old Value	New Value
Added	Reference		http://marc.info/?l=bugtraq&m=142118135300698&w=2

CVE Modified by Source - 3/11/2015 10:00:17 PM
Action	Type	Old Value	New Value
Added	Reference		http://marc.info/?l=bugtraq&m=141879528318582&w=2
Added	Reference		http://marc.info/?l=bugtraq&m=142113462216480&w=2
Added	Reference		http://marc.info/?l=bugtraq&m=142358078406056&w=2
Added	Reference		http://marc.info/?l=bugtraq&m=142358026505815&w=2

CVE Modified by Source - 12/23/2014 10:00:43 PM
Action	Type	Old Value	New Value
Added	Reference		http://secunia.com/advisories/62312
Added	Reference		http://secunia.com/advisories/62343

CVE Modified by Source - 12/2/2014 10:02:24 PM
Action	Type	Old Value	New Value
Added	Reference		http://marc.info/?l=bugtraq&m=141694386919794&w=2

CVE Modified by Source - 11/19/2014 9:59:53 PM
Action	Type	Old Value	New Value
Added	Reference		http://marc.info/?l=bugtraq&m=141577241923505&w=2
Added	Reference		http://marc.info/?l=bugtraq&m=141576728022234&w=2
Added	Reference		http://marc.info/?l=bugtraq&m=141577297623641&w=2
Added	Reference		http://marc.info/?l=bugtraq&m=141585637922673&w=2
Added	Reference		http://marc.info/?l=bugtraq&m=141577137423233&w=2

CVE Modified by Source - 11/13/2014 10:08:22 PM
Action	Type	Old Value	New Value
Added	Reference		http://secunia.com/advisories/61873
Added	Reference		http://marc.info/?l=bugtraq&m=141383465822787&w=2
Added	Reference		http://www-01.ibm.com/support/docview.wss?uid=swg21686447
Added	Reference		http://rhn.redhat.com/errata/RHSA-2014-1354.html

Initial CVE Analysis - 9/25/2014 9:10:14 AM
Action	Type	Old Value	New Value

You are viewing this page in an unauthorized frame window.

National Cyber Awareness System

Vulnerability Summary for CVE-2014-7169

Modified

Overview

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

Vulnerable software and versions

Technical Details

Change History 12 change records found - show changes