KB Article #176462

CVE-2014-6271 / CVE-2014-6277 / CVE-2014-7169 / CVE-2014-7186 / CVE-2014-7187 - Bash:specially-crafted environment variables code injection attack

Problem

 

A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

 

Resolution

*Last Update: 10/8/2014 (added information about ST on Windows and bash patch for it)

SecureTransport Server and SecureTransport Edge Appliances are running SUSE Linux Enterprise Server so they should be upgraded with the latest version of bash (see attached).

The patch released for CVE-2014-6271 does not completely fix the reported vulnerability and a new reports has been logged under CVE-2014-6277; CVE-2014-7169; CVE-2014-7186 and CVE-2014-7187. The complete fix for all of the above five CVE-s is attached.


Checking the current version of SUSE Linux Enterprise Server on the appliance:

# cat /etc/SuSE-release

  • For SUSE Linux Enterprise Server 10.x, please download the SLES10.ZIP archive attached to the article.
  • For SUSE Linux Enterprise Server 11.x, please download the SLES11.ZIP archive attached to the article.

Applying the patch:

Make sure that /var/spool/repackage directory exists on the system before repackaging .

A) If originally released partial patch for CVE-2014-6271 has NOT been applied:

Upload the package SLES1X.ZIP on the Appliance and extract it in a temporary directory:

# unzip SLES1X.ZIP

Once the archive is extracted please run the following commands as root to do the upgrade:

# cd SLESX
# rpm -Fvh *.rpm

B) If originally released partial patch for CVE-2014-6271 HAS been applied:

Before applying the new fix, one might wish to prepare the already existing packages for rollback (should it be necessary). Steps to do so are:

- navigate to the temporary directory, new packages are unzipped at;
- execute:

rpm -Fvh --repackage *.rpm

This will create an RPM from the corresponding previously installed package under /var/spool/repackage and install the new one.

Should you need to rollback old packages, execute:

cd /var/spool/repackage; rpm –Uvh --oldpackage *.rpm


However, even if you follow the process under A) directly with partial patch for CVE-2014-6271 installed, the new packages will be installed, but no rollback rpm-s of previously installed bash package will be created.

Additional information:

By default SecureTransport is deployed with several external agents - pre-compiled binaries and Perl scripts. SecureTransport executes them through a "symbiont" wrapper pool - therefore no execution of bash will ever occur.

Please note, however, that the Administrators of SecureTransport are allowed to upload external agents on their own and modify the existing Transaction Manager's rules and packages. With this said, should bash be attached to a rule (explicitly or implicitly as the runner of a script) - an instance of bash will be passed some environment variables by the Transaction Manager process. Although it is highly unlikely that a variable can directly cross from the client to the Transaction Manager and become part of the environment of this bash process without having been sanitized, it shouldn't be assumed it is impossible to happen. Therefore all SecureTransport Administrators and Customization Vendors are advised to refrain from utilizing bash scripts while we are working on the final fix.

SecureTransport 4.9.2 SP2 - 5.1 SP3:

These versions of SecureTransport do ship with Apache HTTP Server 2.x and the mod_cgi module - which according to the CVE assessments is a possible vector for an attack. Please note that although the module is part of the distribution, it is not loaded with the default configuration:

  • End-user UI:

LoadModule fdx_module         modules/mod_fdx.so
LoadModule log_config_module  modules/mod_log_config.so
LoadModule setenvif_module    modules/mod_setenvif.so
LoadModule mime_module        modules/mod_mime.so
LoadModule ssl_module         modules/mod_ssl.so

  • Administrator's UI:
LoadModule authz_host_module         modules/admin/mod_authz_host.so
LoadModule mime_module               modules/admin/mod_mime.so
LoadModule log_config_module         modules/admin/mod_log_config.so
LoadModule setenvif_module           modules/admin/mod_setenvif.so
LoadModule alias_module              modules/admin/mod_alias.so
LoadModule env_module                modules/admin/mod_env.so
LoadModule ssl_module                modules/admin/mod_ssl.so

SecureTransport 5.2.x:

Apache HTTP Server is not shipped with SecureTransport 5.2.x.


SecureTransport 4.9.2 SP2  - 5.2.1 SP4 on Windows OS (Cygwin Bash patch):

SecureTransport versions, running on Windows Operating Systems, are confirmed to not be vulnerable to CVE-2014-6271 / CVE-2014-7169 / CVE-2014-7186 / CVE-2014-7187.

However, SecureTransport ships with a Cygwin distribution that embeds a vulnerable version of Bash and is vulnerable to CVE-2014-6271 / CVE-2014-7169 / CVE-2014-7186 / CVE-2014-7187.

Patch for the Cygwin Bash, shipped with SecureTransport 4.9.2 SP2 - 5.2.1 SP4 versions, is attached
For installation instructions: please refer to the  patch release notes, part of the zip archive.