Oracle third party patch update : bash_2014_10_07

Critical Nessus Plugin ID 78395

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 9.6

Synopsis

The remote Solaris system is missing a security patch for third party software.

Description

The remote Solaris system is missing necessary patches to address critical security updates related to 'Shellshock' :

- GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, also known as 'Shellshock.' Note that the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271)

- GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277)

- GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
(CVE-2014-6278)

- GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have other unknown impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169)

- The redirection implementation in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via crafted use of 'here' documents, also known as the 'redir_stack' issue. (CVE-2014-7186)

- An off-by-one error in the 'read_token_word' function in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via deeply nested for-loops, also known as the 'word_lineno' issue.
(CVE-2014-7187)

Solution

Upgrade the Solaris system to version SRU 11.2.2.8.0.

See Also

http://www.nessus.org/u?4a913f44

https://getupdates.oracle.com/readme/149080-02

http://seclists.org/oss-sec/2014/q3/650

http://www.nessus.org/u?dacf7829

https://www.invisiblethreat.ca/2014/09/cve-2014-6271/

https://blogs.oracle.com/patch/entry/solaris_idrs_available_on_mos

Plugin Details

Severity: Critical

ID: 78395

File Name: solaris11_bash_2014_10_07.nasl

Version: 1.13

Type: local

Published: 2014/10/13

Updated: 2021/01/14

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 9.6

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:solaris

Required KB Items: Host/local_checks_enabled, Host/Solaris11/release, Host/Solaris11/pkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/10/07

Vulnerability Publication Date: 2014/09/24

Exploitable With

Core Impact

Metasploit (CUPS Filter Bash Environment Variable Code Injection (Shellshock))

Reference Information

CVE: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

BID: 70103, 70137, 70152, 70154, 70165, 70166

CERT: 252743

IAVA: 2014-A-0142

EDB-ID: 34765, 34766, 34777