VMware vSphere Replication Bash Environment Variable Command Injection Vulnerability (VMSA-2014-0010) (Shellshock)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote host has a virtualization appliance installed that is
affected by Shellshock.

Description :

The VMware vSphere Replication installed on the remote host is version
5.1.x prior to 5.1.2.2, 5.5.x prior to 5.5.1.3, 5.6.x prior to
5.6.0.2, or 5.8.x prior to 5.8.0.1. It is, therefore, affected by a
command injection vulnerability in GNU Bash known as Shellshock, which
is due to the processing of trailing strings after function
definitions in the values of environment variables. This allows a
remote attacker to execute arbitrary code via environment variable
manipulation depending on the configuration of the system

See also :

http://www.vmware.com/security/advisories/VMSA-2014-0010
http://seclists.org/oss-sec/2014/q3/650
https://www.invisiblethreat.ca/post/shellshock/

Solution :

Upgrade to vSphere Replication 5.1.2.2 / 5.5.1.3 / 5.6.0.2 / 5.8.0.1
or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 9.0
(CVSS2#E:POC/RL:ND/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now