HIRT-PUB14011: GNU Bourne-Again Shell (Bash) 'Shellshock' issue in Hitachi products

Last Updated: October 7, 2014

• Japanese

1. Overview

GNU Bourne-Again Shell (Bash) contains a vulnerability that could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system. This vulnerability is commonly referred to as "Shellshock".

September 24, 2014
GNU Bash vulnerability (CVE-2014-6271) in environment variables parsing was disclosed to the public. Security update for GNU Bash vulnerability (CVE-2014-6271) has been released for most major Linux distributions.

September 25, 2014
GNU Bash Incomplete Fix Remote Code Execution Vulnerability (CVE-2014-7169) was disclosed to the public.

September 26, 2014
Security update for GNU Bash vulnerability (CVE-2014-7169) has been released for most major Linux distributions. Also, Red Hat reported "Out of Bounds Memory Access Denial of Service Vulnerability (CVE-2014-7186)" and "Off-By-One Error Denial of Service Vulnerability (CVE-2014-7187)".

September 27, 2014
GNU Bash Incomplete Fix Remote Code Execution Vulnerability (CVE-2014-6277 and CVE-2014-6278) was disclosed to the public.

CVSS Severity

CVE-2014-6271: GNU Bash Remote Code Execution Vulnerability
CVE-2014-7169: GNU Bash Incomplete Fix Remote Code Execution Vulnerability
CVE-2014-7186: Out of Bounds Memory Access Denial of Service Vulnerability
CVE-2014-7187: Off-By-One Error Denial of Service Vulnerability
CVE-2014-6277: GNU Bash Incomplete Fix Remote Code Execution Vulnerability
CVE-2014-6278: GNU Bash Incomplete Fix Remote Code Execution Vulnerability

 Base Metrics: 10.0
  Access Vector: Network
  Access Complexity: Low
  Authentication: None
  Confidentiality Impact: Complete
  Integrity Impact: Complete
  Availability Impact: Complete

 Temporal Metrics 8.7 (September 27, 2014)
  Exploitablity: High
  Remediation Level: Official fix
  Report Confidence: Confirmed

• http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)

2. Affected Systems

+ GNU Bash through 4.3
+ Linux, BSD, and UNIX distributions that use GNU Bash
+ Hitachi Products that use GNU Bash

3. Impact

By attacking a service that uses a vulnerable version of GNU Bash, a remote, unauthenticated attacker may be able to execute shell commands by attaching malicious code in environment variables used by the operating system.

Web application
CGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script.

Secure Shell (SSH)
This issue can be used to execute any command to bypass the restricted command control.

DHCP client
DHCP client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to remotely execute arbitrary commands.

Mail server
qmail uses various environment variables to refer the value of mail from: and rcpt to:. This can be used to execute arbitrary commands by specially crafted environment variables.

Figure 1. (Example) Arbitrary shell commands execution by specially crafted environment variables.

4. Solution

Apply an update

This issue is addressed in GNU Bash. Followings are security update of Linux distributions. Also, please refer to the advisories in "5. Product Information" of Hitachi.

• CentOS
  
  • CVE-2014-6271
    [CentOS] Critical update for bash released today.
    http://lists.centos.org/pipermail/centos/2014-September/146099.html
    
  • CVE-2014-7169
    [CentOS-announce] CESA-2014:1306 Important CentOS 5 bash Security Update
    http://lists.centos.org/pipermail/centos-announce/2014-September/020591.html
    [CentOS-announce] CESA-2014:1306 Important CentOS 6 bash Security Update
    http://lists.centos.org/pipermail/centos-announce/2014-September/020593.html
    [CentOS-announce] CESA-2014:1306 Important CentOS 7 bash Security Update
    http://lists.centos.org/pipermail/centos-announce/2014-September/020592.html
    
• Debian
  
  • CVE-2014-6271
    DSA-3032-1 bash -- security update
    https://www.debian.org/security/2014/dsa-3032
    
  • CVE-2014-7169
    DSA-3035-1 bash -- security update
    https://www.debian.org/security/2014/dsa-3035
    
• Red Hat
  
  • CVE-2014-6271
    RHSA-2014-1293 Critical: bash security update
    https://rhn.redhat.com/errata/RHSA-2014-1293.html
    RHSA-2014-1294 Critical: bash security update
    https://rhn.redhat.com/errata/RHSA-2014-1294.html
    RHSA-2014-1295 Critical: bash Shift_JIS security update
    https://rhn.redhat.com/errata/RHSA-2014-1295.html
    
  • CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
    RHSA-2014-1306 Important: bash security update
    https://rhn.redhat.com/errata/RHSA-2014-1306.html
    RHSA-2014-1311 Important: bash security update
    https://rhn.redhat.com/errata/RHSA-2014-1311.html
    RHSA-2014-1312 Critical: bash Shift_JIS security update
    https://rhn.redhat.com/errata/RHSA-2014-1312.html
    
  • CVE-2014-6277,CVE-2014-6278
    Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) in Red Hat Enterprise Linux
    https://access.redhat.com/solutions/1207723
    
• Ubuntu
  
  • CVE-2014-6271,CVE-2014-7169
    USN-2363-1: Bash vulnerability
    http://www.ubuntu.com/usn/usn-2363-1/
    USN-2363-2: Bash vulnerability
    http://www.ubuntu.com/usn/usn-2363-2/
    
  • CVE-2014-7186,CVE-2014-7187
    USN-2364-1: Bash vulnerabilities
    http://www.ubuntu.com/usn/usn-2364-1/
    

5. Product Information

October 6, 2014

+ AlaxalA Networks AX series <Products Confirmed Not Vulnerable>
     [AX8600R/6700S/6600S/6300S, AX4600S/3800S/3600S/2400S]
     [AX7800R/7700R/7800S/5400S]
     [AX2500S/2200S/1200S]
     [AX620R]

October 3, 2014

+ Hitachi Advanced Server HA8000 series <*>
+ Hitachi Advanced Server HA8500 series <*>
+ Client Blade FLORA bd100/bd500 series <*>
+ Thin Client FLORA Se210/Se330 series <*>
+ Hitachi bd Link <*>
+ Entry class disk array model BR1200 <*>
+ Tape Library L1/8A, Lx/24, Lx/30A, Lx/48, L20/300, L18/500, L56/3000, L64/8500 <*>
+ Hitachi UPS/Management software/Hitachi UPS option, PowerMonitor H, PowerMonitor H for Network,
   SNMP interface card, Disk interface card, SNMP+Disk interface card <*>
+ Display/Keyboard unit/Switch Console Unit <*>
+ Hitachi Server Navigator Update Manager, Log Collect, Log Monitor, Alive Monitor, RAID Navigator <*>
+ Hitachi Server Navigator Installation Assistant <*>
<*>: <Products Confirmed Not Vulnerable>

• Impact of GNU Bash vulnerability (CVE-2014-6271, CVE-2014-7169 and related CVEs) [Japanese]

October 1, 2014

+ Hitachi Metals Switch Apresia series <Products Confirmed Not Vulnerable>
+ Hitachi Metals XLGMC/XGMC/GMC/GMX/eWAVE/BMC/GMA series <Products Confirmed Not Vulnerable>

• HCVU000000016: GNU Bash vulnerability in environment variables parsing [Japanese]

September 30, 2014

+ Hitachi Open Middleware Products <Products Confirmed Not Vulnerable>
+ Hitachi Storage Products
+ VFP(Hitachi Virtual File Platform)

• Solution of GNU Bash vulnerability (CVE-2014-6271, CVE-2014-7169 and related CVEs) [Japanese]

---

+ Virtage(BladeSymphonyBS2000/BS500/BS320/BS1000 series)

• Solution of GNU Bash vulnerability (CVE-2014-6271, CVE-2014-7169 and related CVEs) in Virtage [Japanese]

6. References

• VU#252743: GNU Bash shell executes commands in exported functions in environment variables (2014-09-25)
  http://www.kb.cert.org/vuls/id/252743
• CVE-2014-6271
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
• CVE-2014-7169
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
• CVE-2014-7186
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
• CVE-2014-7187
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
• CVE-2014-6277
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
• CVE-2014-6278
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
• TA14-268A: GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278) (2014-09-25)
  https://www.us-cert.gov/ncas/alerts/TA14-268A
• ICSA-14-269-01: Bash Command Injection Vulnerability (2014-09-26)
  https://ics-cert.us-cert.gov/advisories/ICSA-14-269-01

7. Update history

October 7, 2014

• This webpage was newly created and published.

---

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)