Vulnerability Characteristics

The GNU Bash Environment Variable Command Injection Vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2014-6271, and due to an incomplete fix, CVE-2014-7169 has also been assigned.

A vulnerability in GNU Bash could allow an unauthenticated, remote attacker to inject arbitrary commands.

Cisco Security Analysis

GNU Bash versions through 4.3 process trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi, and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Impact on Cisco Products

The Cisco Product Security Incident Response Team (PSIRT) is currently investigating if any Cisco products are affected by this vulnerability. Any updates specifically related to Cisco products will be communicated according to the Cisco Security Vulnerability Policy.

The Cisco Computer Security Incident Response Team (CSIRT) is investigating Cisco public-facing infrastructure that could be susceptible to this vulnerability to facilitate its remediation.

Mitigation Summary

• IOS Zone-Based and User-Based Firewall
• Application Layer Protocol Inspection on Cisco ASA

Effective use of Cisco Sourcefire Next-Generation Intrusion Prevention System (NGIPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability. The Sourcefire Snort SIDs for this vulnerability are 1:31975 through 1:31978. Talos has added coverage for this vulnerability in the 2014-09-24 release.

Effective use of Cisco Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit this vulnerability. The corresponding Signature IDs for Cisco IPS, written for the vulnerability, are 4689/0, 4689/1, 4689/2, and 4689/3 which are included as part of Cisco IPS Signature Update Package S824 (September 24, 2014).

Administrators can configure IPS sensors to perform an event action when an attack is detected. The configured event action performs preventive or deterrent controls to help protect against an attack that is attempting to exploit the GNU Bash Environment Variable Command Injection Vulnerability. An IPS device that is not placed inline and configured to drop malicious packets will only alert on attempts to exploit this vulnerability and will not prevent (mitigate) these attempts from becoming successful.

For information on using Cisco Security Manager to view the activity from a Cisco IPS sensor, see Identification of Malicious Traffic Using Cisco Security Manager.

This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.

Back to Top