HomePentest-Tools.com Logo

Cisco UCS GNU Bash Environment Variable Command Injection Vulnerability (Shellshock) CVE-2014-6278

Severity
Not available
CVSSv3 Score
Not available
Vulnerability description

On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell, depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and scripts hosted on web server

Risk description

GNU bash contains a flaw that is triggered when evaluating environment variables passed from another environment. After processing a function definition, bash continues to process trailing strings. Successful exploitation will allow remote or local attackers to inject shell commands, allowing local privilege escalation or remote command execution depending on the application vector.

Recommendation

See vendor advisory for a solution

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Sep 30, 2014
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available