Zero-day Vulnerability Database

Change view

Zero-day vulnerabilities discovered: 1

Multiple RCE vulnerabilities in GNU Bash aka Shellshock
CVE-2014-6271

Command injection

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to incorrect parsing of environment variables. A remote attacker can execute arbitrary code on the target system as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Successful exploitation may allow an attacker to gain complete control over vulnerable system.

Exploitation example:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Note: this vulnerability was being actively exploited in the wild.

i

Shellshock is a variety of vulnerabilities in GNU Bash implementation caused by incomplete patches after official release of the fix and public disclosure of the vulnerability. There were 5 failed attempts in total to fix this Shellshock bugs until it was finally patched in version bash43-027, released on October 1, 2014.

Some of these vulnerabilities were exploited in the wild before the patch, which makes them zero-days. These vulnerabilities are covered under the following CVEs:

CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

Giving the nature of the vulnerabilities and attack vectors we have decided to cover these vulnerabilities under one description and count them as one zero-day vulnerability.

Software: Bash

Shellshock is a variety of vulnerabilities in GNU Bash implementation caused by incomplete patches after official release of the fix and public disclosure of the vulnerability. There were 5 failed attempts in total to fix this Shellshock bugs until it was finally patched in version bash43-027, released on October 1, 2014.

Some of these vulnerabilities were exploited in the wild before the patch, which makes them zero-days. These vulnerabilities are covered under the following CVEs:

CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187

Giving the nature of the vulnerabilities and attack vectors we have decided to cover these vulnerabilities under one description and count them as one zero-day vulnerability.