Content deleted Content added
m date format audit |
Matthiaspaul (talk | contribs) +CVE template |
||
Line 8:
| image = [[Image:Shellshock-bug.png|180px]]
| caption = A simple Shellshock logo, similar to the [[Heartbleed]] bug logo. <!-- Only one of the logos commonly applied to the bug shall be used here. See the talkpage.-->
| CVE =
| discovered = {{Start date and age|2014|9|12|df=yes}}
| patched = {{Start date and age|2014|9|24|df=yes}}
Line 56:
==Reported vulnerabilities==
===Overview===
The maintainer of Bash was warned about the first discovery of the bug on 2014-09-12; a fix followed soon.<ref name="NYT-20140925-NP" /> A few companies and distributors were informed before the matter was publicly disclosed on 2014-09-24 with CVE identifier {{CVE
On 26 September 2014, two open-source contributors, David A. Wheeler and Norihiro Tanaka, noted that there were additional issues, even after patching systems using the most recently available patches. In an email addressed to the oss-sec list and the bash bug list, Wheeler wrote: "This patch just continues the 'whack-a-mole' job of fixing parsing errors that began with the first patch. Bash's parser is certain [to] have many many many other vulnerabilities".<ref name="BASH Whack-a-mole">{{cite web |last=Gallagher |first=Sean |title=Still more vulnerabilities in bash? Shellshock becomes whack-a-mole |url=https://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/|date=26 September 2014 |publisher=[[Arstechnica]] |accessdate=26 September 2014}}</ref> However, this rather was some general reasoning without actually presenting exploitation examples and implied restricting Bash functionality with the effect that some Bash scripts won't work any more, even if ''not'' intended to harm other users.
Line 63:
===Initial report (CVE-2014-6271)===
This original form of the vulnerability ({{CVE|2014-6271}}) involves a specially crafted environment variable containing an exported function definition, followed by arbitrary commands. Bash incorrectly executes the trailing commands when it imports the function.<ref name="nvd6271">{{cite web|url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271|title=Vulnerability Summary for CVE-2014-6271|publisher=NIST|date=4 October 2014|accessdate=8 October 2014}}</ref> The vulnerability can be tested with the following command:
<source lang="bash">env x='() { :;}; echo vulnerable' bash -c "echo this is a test"</source>
Line 70:
===CVE-2014-6277 ===
Discovered by [[Michał Zalewski]],<ref name="ITN-20140929" /><ref name="HH-20140928" /><ref name="NIST-20140927">{{cite web |author=Staff |title=National Cyber Awareness System Vulnerability Summary for CVE-2014-6277 |url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277 |date=27 September 2014 |work=[[National Institute of Standards and Technology]] |accessdate=28 September 2014 }}</ref>
===CVE-2014-6278===
Also discovered by [[Michał Zalewski]],<ref name="PCW-20140929" /><ref>{{cite web |author=Staff |title=National Cyber Awareness System Vulnerability Summary for CVE-2014-6278 |url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278 |date=30 September 2014 |work=[[National Institute of Standards and Technology]] |accessdate=1 October 2014 }}</ref> this bug ({{CVE|2014-6278}}) relates to the parsing of function definitions in environment variables by Bash.
===CVE-2014-7169===
On the same day the original vulnerability was published, Tavis Ormandy discovered this related bug ({{CVE|2014-7169}}),<ref name="qualys" /> which is
demonstrated in the following code:
Line 107:
===CVE-2014-7186===
Florian Weimer and Todd Sabin found this bug ({{CVE|2014-7186}}),<ref name="zdnet-betterbash">{{cite web|last1=Vaughan-Nichols|first1=Steven|title=Shellshock: Better 'bash' patches now available|url=http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/|publisher=ZDNet|accessdate=29 September 2014|date=27 September 2014 }}</ref><ref name="lcamtuf-oct-1" /> which relates to an [[buffer overflow|out-of-bounds memory access error]] in the Bash parser code.<ref>{{cite web |author=Staff |title=National Cyber Awareness System Vulnerability Summary for CVE-2014-7186 |url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 |date=29 September 2014 |work=[[National Institute of Standards and Technology]] |accessdate=1 October 2014 }}</ref>
An example of the vulnerability, which leverages the use of multiple "<<EOF" declarations (nested [[Here document|"here documents"]]):
Line 117:
===CVE-2014-7187===
Also found by Florian Weimer,<ref name="zdnet-betterbash" />
An example of the vulnerability, which leverages the use of multiple "done" declarations:
| |||