CVE - CVE-2014-6278

CVE-ID
CVE-2014-6278	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
EXPLOIT-DB:39887 URL:https://www.exploit-db.com/exploits/39887/ EXPLOIT-DB:39568 URL:https://www.exploit-db.com/exploits/39568/ MISC:http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html MISC:http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html MISC:http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html MISC:http://packetstormsecurity.com/files/137344/Sun-Secure-Global-Desktop-Oracle-Global-Desktop-Shellshock.html CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1147414 CONFIRM:https://security-tracker.debian.org/tracker/CVE-2014-6278 CONFIRM:http://support.novell.com/security/cve/CVE-2014-6278.html CONFIRM:https://www.suse.com/support/shellshock/ CONFIRM:https://kb.bluecoat.com/index?page=content&id=SA82 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685749 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685914 CONFIRM:http://www.novell.com/support/kb/doc.php?id=7015721 CONFIRM:http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html CONFIRM:http://www.vmware.com/security/advisories/VMSA-2014-0010.html CONFIRM:https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685541 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685604 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685733 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686131 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686479 CONFIRM:http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315 CONFIRM:https://support.citrix.com/article/CTX200217 CONFIRM:https://support.citrix.com/article/CTX200223 CONFIRM:https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686246 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686445 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686494 CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21687079 CONFIRM:https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts CONFIRM:http://www.qnap.com/i/en/support/con_show.php?cid=61 CONFIRM:http://linux.oracle.com/errata/ELSA-2014-3093 CONFIRM:http://linux.oracle.com/errata/ELSA-2014-3094 CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10085 CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075 CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183 CISCO:20140926 GNU Bash Environment Variable Command Injection Vulnerability URL:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash HP:HPSBGN03138 URL:http://marc.info/?l=bugtraq&m=141330468527613&w=2 HP:HPSBHF03125 URL:http://marc.info/?l=bugtraq&m=141345648114150&w=2 HP:HPSBGN03141 URL:http://marc.info/?l=bugtraq&m=141383304022067&w=2 HP:HPSBGN03142 URL:http://marc.info/?l=bugtraq&m=141383244821813&w=2 HP:HPSBHF03146 URL:http://marc.info/?l=bugtraq&m=141383353622268&w=2 HP:HPSBMU03143 URL:http://marc.info/?l=bugtraq&m=141383026420882&w=2 HP:HPSBMU03144 URL:http://marc.info/?l=bugtraq&m=141383081521087&w=2 HP:HPSBST03129 URL:http://marc.info/?l=bugtraq&m=141383196021590&w=2 HP:HPSBST03157 URL:http://marc.info/?l=bugtraq&m=141450491804793&w=2 HP:HPSBHF03145 URL:http://marc.info/?l=bugtraq&m=141383465822787&w=2 HP:HPSBMU03165 URL:http://marc.info/?l=bugtraq&m=141577137423233&w=2 HP:HPSBMU03182 URL:http://marc.info/?l=bugtraq&m=141585637922673&w=2 HP:HPSBST03154 URL:http://marc.info/?l=bugtraq&m=141577297623641&w=2 HP:HPSBST03155 URL:http://marc.info/?l=bugtraq&m=141576728022234&w=2 HP:HPSBST03181 URL:http://marc.info/?l=bugtraq&m=141577241923505&w=2 HP:HPSBMU03217 URL:http://marc.info/?l=bugtraq&m=141879528318582&w=2 HP:HPSBMU03245 URL:http://marc.info/?l=bugtraq&m=142358026505815&w=2 HP:HPSBMU03246 URL:http://marc.info/?l=bugtraq&m=142358078406056&w=2 HP:SSRT101742 URL:http://marc.info/?l=bugtraq&m=142358026505815&w=2 HP:SSRT101827 URL:http://marc.info/?l=bugtraq&m=141879528318582&w=2 HP:HPSBGN03233 URL:http://marc.info/?l=bugtraq&m=142118135300698&w=2 HP:SSRT101739 URL:http://marc.info/?l=bugtraq&m=142118135300698&w=2 HP:SSRT101868 URL:http://marc.info/?l=bugtraq&m=142118135300698&w=2 HP:HPSBMU03220 URL:http://marc.info/?l=bugtraq&m=142721162228379&w=2 HP:SSRT101819 URL:http://marc.info/?l=bugtraq&m=142721162228379&w=2 MANDRIVA:MDVSA-2015:164 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2015:164 SUSE:SUSE-SU-2014:1287 URL:http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html SUSE:openSUSE-SU-2014:1310 URL:http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html UBUNTU:USN-2380-1 URL:http://www.ubuntu.com/usn/USN-2380-1 JVN:JVN#55667175 URL:http://jvn.jp/en/jp/JVN55667175/index.html JVNDB:JVNDB-2014-000126 URL:http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126 SECUNIA:61641 URL:http://secunia.com/advisories/61641 SECUNIA:59907 URL:http://secunia.com/advisories/59907 SECUNIA:61283 URL:http://secunia.com/advisories/61283 SECUNIA:61485 URL:http://secunia.com/advisories/61485 SECUNIA:61503 URL:http://secunia.com/advisories/61503 SECUNIA:61552 URL:http://secunia.com/advisories/61552 SECUNIA:61565 URL:http://secunia.com/advisories/61565 SECUNIA:61603 URL:http://secunia.com/advisories/61603 SECUNIA:61633 URL:http://secunia.com/advisories/61633 SECUNIA:61643 URL:http://secunia.com/advisories/61643 SECUNIA:61654 URL:http://secunia.com/advisories/61654 SECUNIA:61703 URL:http://secunia.com/advisories/61703 SECUNIA:58200 URL:http://secunia.com/advisories/58200 SECUNIA:60034 URL:http://secunia.com/advisories/60034 SECUNIA:60055 URL:http://secunia.com/advisories/60055 SECUNIA:60193 URL:http://secunia.com/advisories/60193 SECUNIA:60325 URL:http://secunia.com/advisories/60325 SECUNIA:61065 URL:http://secunia.com/advisories/61065 SECUNIA:61128 URL:http://secunia.com/advisories/61128 SECUNIA:61129 URL:http://secunia.com/advisories/61129 SECUNIA:61287 URL:http://secunia.com/advisories/61287 SECUNIA:61312 URL:http://secunia.com/advisories/61312 SECUNIA:61313 URL:http://secunia.com/advisories/61313 SECUNIA:61328 URL:http://secunia.com/advisories/61328 SECUNIA:61442 URL:http://secunia.com/advisories/61442 SECUNIA:61471 URL:http://secunia.com/advisories/61471 SECUNIA:61550 URL:http://secunia.com/advisories/61550 SECUNIA:61780 URL:http://secunia.com/advisories/61780 SECUNIA:61816 URL:http://secunia.com/advisories/61816 SECUNIA:61857 URL:http://secunia.com/advisories/61857 SECUNIA:60024 URL:http://secunia.com/advisories/60024 SECUNIA:60063 URL:http://secunia.com/advisories/60063 SECUNIA:60044 URL:http://secunia.com/advisories/60044 SECUNIA:60433 URL:http://secunia.com/advisories/60433 SECUNIA:61291 URL:http://secunia.com/advisories/61291 SECUNIA:59961 URL:http://secunia.com/advisories/59961 SECUNIA:62312 URL:http://secunia.com/advisories/62312 SECUNIA:62343 URL:http://secunia.com/advisories/62343
Assigning CNA
N/A
Date Entry Created
20140909	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20140909)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org