Main Vulnerability Database Vulnerabilities #VU5294

#VU5294 Command injection in Bash - CVE-2014-7169

Published: January 24, 2017 / Updated: February 20, 2022

Vulnerability identifier: #VU5294

Vulnerability risk: Critical

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

CVE-ID: CVE-2014-7169

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vulnerable software:
Bash

Software vendor:
GNU

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The weakness exists due to an incomplete fix related to malformed function definitions in the values of environment variables. By using multiple attack vectors (DHCP, HTTP, SIP, FTP, and SMTP) involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, a remote attacker can inject and execute arbitrary commands.This vulnerability exists due to incomplete fix for vulnerability #1 (CVE-2014-6271).

Exploitation example:

env X='() { (a)=>\' bash -c "echo date"; cat echo

Successful exploitation may allow an attacker to gain complete control over vulnerable system.

Note: this vulnerability was being actively exploited.

Remediation

Update GNU Bash to version 4.3 bash43-027.

External links

https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027