openSUSE Security Update : bash (openSUSE-SU-2014:1254-1) (deprecated)

Critical Nessus Plugin ID 78115

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 9.6

Synopsis

This plugin has been deprecated.

Description

This patch was withdrawn by the openSUSE team, as the software was fixed prior to release. No replacement patches/plugins exist.

bash was updated to fix command injection via environment variables.
(CVE-2014-6271,CVE-2014-7169)

Also a hardening patch was applied that only imports functions over BASH_FUNC_ prefixed environment variables.

Also fixed: CVE-2014-7186, CVE-2014-7187: bad handling of HERE documents and for loop issue

See Also

http://lists.opensuse.org/opensuse-updates/2014-09/msg00063.html

https://bugzilla.novell.com/show_bug.cgi?id=895475

https://bugzilla.novell.com/show_bug.cgi?id=896776

Plugin Details

Severity: Critical

ID: 78115

File Name: openSUSE-2014-567.nasl

Version: 1.12

Type: local

Agent: unix

Published: 2014/10/10

Updated: 2021/01/19

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 9.6

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:bash, p-cpe:/a:novell:opensuse:bash-debuginfo, p-cpe:/a:novell:opensuse:bash-debuginfo-32bit, p-cpe:/a:novell:opensuse:bash-debugsource, p-cpe:/a:novell:opensuse:bash-devel, p-cpe:/a:novell:opensuse:bash-lang, p-cpe:/a:novell:opensuse:bash-loadables, p-cpe:/a:novell:opensuse:bash-loadables-debuginfo, p-cpe:/a:novell:opensuse:libreadline6, p-cpe:/a:novell:opensuse:libreadline6-32bit, p-cpe:/a:novell:opensuse:libreadline6-debuginfo, p-cpe:/a:novell:opensuse:libreadline6-debuginfo-32bit, p-cpe:/a:novell:opensuse:readline-devel, p-cpe:/a:novell:opensuse:readline-devel-32bit, cpe:/o:novell:opensuse:13.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/09/29

Exploitable With

Core Impact

Metasploit (Apache mod_cgi Bash Environment Variable Code Injection)

Reference Information

CVE: CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

IAVA: 2014-A-0142