Signature Detail

DHCP: GNU Bash Environment Variable Handling Command Execution DHCP Vector

This signature detects attempts to exploit a known vulnerability against GNU Bash. The vulnerability is due to a failure in handling environment variables. A remote attacker can exploit this vulnerability by interacting with an application that uses Bash environment variables whose content is determined by input read from the network such as a DHCP client. If an attacker can control the value of an environment variable, then command execution can be achieved in the context of the application using the environment variable.

Extended Description

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Affected Products

• Gnu bash 1.14.0
• Gnu bash 1.14.1
• Gnu bash 1.14.2
• Gnu bash 1.14.3
• Gnu bash 1.14.4
• Gnu bash 1.14.5
• Gnu bash 1.14.6
• Gnu bash 1.14.7
• Gnu bash 2.0
• Gnu bash 2.01
• Gnu bash 2.01.1
• Gnu bash 2.02
• Gnu bash 2.02.1
• Gnu bash 2.03
• Gnu bash 2.04
• Gnu bash 2.05
• Gnu bash 3.0
• Gnu bash 3.0.16
• Gnu bash 3.1
• Gnu bash 3.2
• Gnu bash 3.2.48
• Gnu bash 4.0
• Gnu bash 4.1
• Gnu bash 4.2
• Gnu bash 4.3

References

• BugTraq: 70103
• CVE: CVE-2014-6271
• CVE: CVE-2014-7169