Lucene search

K
saintSAINT CorporationSAINT:2E3ECAFB8AE7339B98B8B66F6B3CB6B6
HistoryNov 05, 2014 - 12:00 a.m.

Bash Environment Variable Handling Shell Command Injection Via CUPS

2014-11-0500:00:00
SAINT Corporation
my.saintcorporation.com
62

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.974

Percentile

99.9%

Added: 11/05/2014
CVE: CVE-2014-6271
BID: 70103
OSVDB: 112004

Background

GNU Bash (Bourne Again SHell) is a command shell commonly used on Linux and Unix systems.

CUPS is printing software for UNIX-like systems that allows a computer to act as a print server.

Problem

The Bash shell executes commands injected after function definitions contained in environment variables. This could be used by a remote attacker to cause arbitrary commands to execute when a CUPS server invokes the Bash shell.

Resolution

Apply updated Bash packages from the Linux or Unix vendor.

References

<https://www.us-cert.gov/ncas/alerts/TA14-268A&gt;

Limitations

This exploit requires the user name and password for the CUPS server. This attack vector may not exist on all systems with affected versions of Bash, and other attack vectors may exist which are not covered by this exploit.

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.974

Percentile

99.9%