← back
CVE-2014-6278

CVE-2014-6278

CVSS 8.8 HIGHEPSS 99.6%● KEVCWE-78
In short

Bash shell has a critical vulnerability where attackers can execute arbitrary commands by crafting malicious environment variables with fake function definitions. This is especially dangerous in systems like SSH and web servers that pass environment data to Bash.

Technical detail

CVE-2014-6278 is a command injection vulnerability in GNU Bash through 4.3 where improper parsing of function definitions in environment variables allows remote code execution when Bash processes attacker-controlled environment data across privilege boundaries. Attack vectors include OpenSSH ForceCommand, Apache mod_cgi/mod_cgid, and DHCP clients; exploitation requires ability to set environment variables in a context where Bash will parse them.

Summary generated and translated by AI from the official description.
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found9
cve_referencepacketstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.htmlunverifiedcve_referencepacketstormsecurity.com/files/137344/Sun-Secure-Global-Desktop-Oracle-Global-Desktop-Shellshock.htmlunverifiedcve_referencewww.exploit-db.com/exploits/39568/unverifiedcve_referencewww.exploit-db.com/exploits/39887/unverifiedexploitdbwww.exploit-db.com/exploits/39887unverifiedexploitdbwww.exploit-db.com/exploits/39568unverifiedexploitdbwww.exploit-db.com/exploits/34900unverifiedexploitdbwww.exploit-db.com/exploits/36933unverifiedexploitdbwww.exploit-db.com/exploits/34860unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126http://jvn.jp/en/jp/JVN55667175/index.htmlhttp://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.htmlhttp://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.htmlhttp://linux.oracle.com/errata/ELSA-2014-3093http://linux.oracle.com/errata/ELSA-2014-3094http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.htmlhttp://lists.opensuse.org/opensuse-updates/2014-10/msg00025.htmlhttp://marc.info/?l=bugtraq&m=141330468527613&w=2http://marc.info/?l=bugtraq&m=141345648114150&w=2http://marc.info/?l=bugtraq&m=141383026420882&w=2http://marc.info/?l=bugtraq&m=141383081521087&w=2