Bash CVE-2014-6271 and CVE-2014-7169 Vulnerability

Summary

This is an information regarding a security issue in the Unix Bash (Bourne Again Shell) commonly used in Linux environments as well as Mac OS.

Information

CVE-2014-6271
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

CVE-2014-7169
This CVE describes the incomplete fix of CVE-2014-6271 in the first round of patches

For further information, please refer to the References section.

Solution

We strongly suggest you immediately install the latest patches for the bash executable on all systems!

All major Linux distribution have released patches, both for the original and the followup CVE. So far there are no known problems with either of these patches. As of writing this article the second patch has not yet been distributed to all patch mirrors, due to this it is advised to verify the version of the patch provided from your mirror.

References

• NVD - Vulnerability Summary for CVE-2014-6271
• NVD - Vulnerability Summary for CVE-2014-7169
• CVE - CVE-2014-6271
• CVE - CVE-2014-7169
• Update on CVE-2014-6271: Vulnerability in bash (shellshock)

Applies to

• All Mindbreeze products running on an Linux environment