Summary: | On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to; the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell,; depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and; scripts hosted on web server |
Description: | Summary: On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell, depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and scripts hosted on web server
Vulnerability Insight: GNU bash contains a flaw that is triggered when evaluating environment variables passed from another environment. After processing a function definition, bash continues to process trailing strings.
Vulnerability Impact: Successful exploitation will allow remote or local attackers to inject shell commands, allowing local privilege escalation or remote command execution depending on the application vector.
Solution: See vendor advisory for a solution
CVSS Score: 10.0
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
|