Guest

Cisco Event Response: GNU Bash Environment Variable Command Injection Vulnerability

Threat Summary

First Published: September 25, 2014

 

This information has been produced in reference to the recent GNU Bash Environment Variable Command Injection Vulnerability that has been made public at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271. Due to an incomplete fix, CVE-2014-7169 has also been made public.

 

Event Intelligence

The Cisco Product Security Incident Response Team (PSIRT) is currently investigating if any Cisco products are affected by this vulnerability. Any updates specifically related to Cisco products will be communicated according to the Cisco Security Vulnerability Policy. Continue to monitor this Event Response Page for the latest information. The following Cisco content is associated with this Event Response Page:

Cisco Security Advisory: GNU Bash Environment Variable Command Injection Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

Cisco IntelliShield Alert: GNU Bash Environment Variable Command Injection Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=35816

Cisco IntelliShield Alert: GNU Bash Environment Variable String Value Handling Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=35845

Cisco Security Blog Post
http://blogs.cisco.com/security/vulnerability-bashes-systems/

Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the GNU Bash Environment Variable Command Injection Vulnerability
http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=35836

Vulnerability Characteristics

The GNU Bash Environment Variable Command Injection Vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2014-6271, and due to an incomplete fix, CVE-2014-7169 has also been assigned.

A vulnerability in GNU Bash could allow an unauthenticated, remote attacker to inject arbitrary commands.

Cisco Security Analysis

GNU Bash versions through 4.3 process trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi, and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Impact on Cisco Products

The Cisco Product Security Incident Response Team (PSIRT) is currently investigating if any Cisco products are affected by this vulnerability. Any updates specifically related to Cisco products will be communicated according to the Cisco Security Vulnerability Policy.

The Cisco Computer Security Incident Response Team (CSIRT) is investigating Cisco public-facing infrastructure that could be susceptible to this vulnerability to facilitate its remediation.

Mitigation Summary

  • IOS Zone-Based and User-Based Firewall
  • Application Layer Protocol Inspection on Cisco ASA

Effective use of Cisco Sourcefire Next-Generation Intrusion Prevention System (NGIPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability. The Sourcefire Snort SIDs for this vulnerability are 1:31975 through 1:31978. Talos has added coverage for this vulnerability in the 2014-09-24 release.

Effective use of Cisco Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability. The corresponding Signature IDs for Cisco IPS, written for the vulnerability, are 4689/0, 4689/1, 4689/2, and 4689/3 which are included as part of Cisco IPS Signature Update Package S824 (September 24, 2014).

Administrators can configure IPS sensors to perform an event action when an attack is detected. The configured event action performs preventive or deterrent controls to help protect against an attack that is attempting to exploit the GNU Bash Environment Variable Command Injection Vulnerability. An IPS device that is not placed inline and configured to drop malicious packets will only alert on attempts to exploit this vulnerability and will not prevent (mitigate) these attempts from becoming successful.

For information on using Cisco Security Manager to view the activity from a Cisco IPS sensor, see Identification of Malicious Traffic Using Cisco Security Manager.