SB2014092803 - openSUSE update for bash 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2014092803

SB2014092803 - openSUSE update for bash

Published: September 28, 2014 Updated: August 8, 2023

Security Bulletin ID SB2014092803
Severity
Critical
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Command injection (CVE-ID: CVE-2014-6271)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to incorrect parsing of environment variables. A remote attacker can execute arbitrary code on the target system as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Successful exploitation may allow an attacker to gain complete control over vulnerable system.

Exploitation example:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Note: this vulnerability was being actively exploited in the wild.


Remediation

Install update from vendor's website.

References