Oracle third party patch update : bash_2014_10_07

critical Nessus Plugin ID 78395

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Solaris system is missing a security patch for third party software.

Description

The remote Solaris system is missing necessary patches to address critical security updates related to 'Shellshock' :

 - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, also known as 'Shellshock.' Note that the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. (CVE-2014-6271)

 - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. (CVE-2014-6277)

 - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
 (CVE-2014-6278)

 - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have other unknown impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the 'mod_cgi' and 'mod_cgid' modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. Note that this vulnerability exists because of an incomplete fix for CVE-2014-6271. (CVE-2014-7169)

 - The redirection implementation in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via crafted use of 'here' documents, also known as the 'redir_stack' issue. (CVE-2014-7186)

 - An off-by-one error in the 'read_token_word' function in 'parse.y' in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have other unspecified impact via deeply nested for-loops, also known as the 'word_lineno' issue.
 (CVE-2014-7187)

Solution

Upgrade the Solaris system to version SRU 11.2.2.8.0.

See Also

http://www.nessus.org/u?4a913f44

https://getupdates.oracle.com/readme/149080-02

http://seclists.org/oss-sec/2014/q3/650

http://www.nessus.org/u?dacf7829

https://www.invisiblethreat.ca/2014/09/cve-2014-6271/

https://blogs.oracle.com/patch/entry/solaris_idrs_available_on_mos

Plugin Details

Severity: Critical

ID: 78395

File Name: solaris11_bash_2014_10_07.nasl

Version: 1.13

Type: local

Published: 10/13/2014

Updated: 1/14/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:solaris

Required KB Items: Host/local_checks_enabled, Host/Solaris11/release, Host/Solaris11/pkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/7/2014

Vulnerability Publication Date: 9/24/2014

Exploitable With

Core Impact

Metasploit (CUPS Filter Bash Environment Variable Code Injection (Shellshock))

Reference Information

CVE: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

BID: 70103, 70137, 70152, 70154, 70165, 70166

CERT: 252743

IAVA: 2014-A-0142

EDB-ID: 34765, 34766, 34777