Applies To:

Show Versions Show Versions

sol15629: Multiple GNU Bash vulnerabilities
Security AdvisorySecurity Advisory

Original Publication Date: 09/25/2014
Updated Date: 05/22/2015

Description

CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

CVE-2014-7169

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

CVE-2014-7186

The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.

CVE-2014-7187

Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.

CVE-2014-6277

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.

CVE-2014-6278

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

Impact

These vulnerabilities may allow authenticated users to gain knowledge of sensitive information, manipulate certain data, or remotely execute code.

Status

F5 Product Development has assigned ID 480931 (BIG-IP), ID 481250 and ID 481247 (BIG-IQ), ID 483716 (Enterprise Manager), and ID 481070 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, BIG-IP iHealth may list Heuristic H508109 on the Diagnostics > Identified > High screen. 

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM 11.6.0
11.0.0 - 11.5.1
10.0.0 - 10.2.4
12.0.0
11.6.0 HF1
11.5.2 - 11.5.3
11.5.1 HF5
11.5.0 HF5
11.4.1 HF5
11.4.0 HF8
11.3.0 HF10
11.2.1 HF12
10.2.4 HF9
Bash shell
DHCP client (dhclient)
BIG-IP AAM 11.6.0
11.4.0 - 11.5.1
12.0.0
11.6.0 HF1
11.5.2 - 11.5.3
11.5.1 HF5
11.5.0 HF5
11.4.1 HF5
11.4.0 HF8
Bash shell
DHCP client (dhclient)
BIG-IP AFM 11.6.0
11.3.0 - 11.5.1
12.0.0
11.6.0 HF1
11.5.2 - 11.5.3
11.5.1 HF5
11.5.0 HF5
11.4.1 HF5
11.4.0 HF8
11.3.0 HF10
Bash shell
DHCP client (dhclient)
BIG-IP Analytics 11.6.0
11.0.0 - 11.5.1
12.0.0
11.6.0 HF1
11.5.2 - 11.5.3
11.5.1 HF5
11.5.0 HF5
11.4.1 HF5
11.4.0 HF8
11.3.0 HF10
11.2.1 HF12
Bash shell
DHCP client (dhclient)
BIG-IP APM 11.6.0
11.0.0 - 11.5.1
10.1.0 - 10.2.4
12.0.0
11.6.0 HF1
11.5.2 - 11.5.3
11.5.1 HF5
11.5.0 HF5
11.4.1 HF5
11.4.0 HF8
11.3.0 HF10
11.2.1 HF12
10.2.4 HF9
Bash shell
DHCP client (dhclient)
BIG-IP ASM 11.6.0
11.0.0 - 11.5.1
10.0.0 - 10.2.4
12.0.0
11.6.0 HF1
11.5.2 - 11.5.3
11.5.1 HF5
11.5.0 HF5
11.4.1 HF5
11.4.0 HF8
11.3.0 HF10
11.2.1 HF12
10.2.4 HF9
Bash shell
DHCP client (dhclient)
BIG-IP DNS None 12.0.0 None
BIG-IP Edge Gateway
11.0.0 - 11.3.0
10.1.0 - 10.2.4
11.3.0 HF10
11.2.1 HF12
10.2.4 HF9
Bash shell
DHCP client (dhclient)
BIG-IP GTM 11.6.0
11.0.0 - 11.5.1
10.0.0 - 10.2.4
11.6.0 HF1
11.5.2 - 11.5.3
11.5.1 HF5
11.5.0 HF5
11.4.1 HF5
11.4.0 HF8
11.3.0 HF10
11.2.1 HF12
10.2.4 HF9
Bash shell
DHCP client (dhclient)
BIG-IP Link Controller 11.6.0
11.0.0 - 11.5.1
10.0.0 - 10.2.4
12.0.0
11.6.0 HF1
11.5.2 - 11.5.3
11.5.1 HF5
11.5.0 HF5
11.4.1 HF5
11.4.0 HF8
11.3.0 HF10
11.2.1 HF12
10.2.4 HF9
Bash shell
DHCP client (dhclient)
BIG-IP PEM 11.6.0
11.3.0 - 11.5.1
12.0.0
11.6.0 HF1
11.5.2 - 11.5.3
11.5.1 HF5
11.5.0 HF5
11.4.1 HF5
11.3.0 HF10
Bash shell
DHCP client (dhclient)
BIG-IP PSM 11.0.0 - 11.4.1
10.0.0 - 10.2.4
11.4.1 HF5
11.4.0 HF8
11.3.0 HF10
11.2.1 HF12
10.2.4 HF9
Bash shell
DHCP client (dhclient)
BIG-IP WebAccelerator 11.0.0 - 11.3.0
10.0.0 - 10.2.4
11.3.0 HF10
11.2.1 HF12
10.2.4 HF9
Bash shell
DHCP client (dhclient)
BIG-IP WOM 11.0.0 - 11.3.0
10.0.0 - 10.2.4
11.3.0 HF10
11.2.1 HF12
10.2.4 HF9
Bash shell
DHCP client (dhclient)
ARX 6.0.0 - 6.4.0 6.4.0 HFRU8
6.3.0 HFRU10
6.2.0 HFRU11
Bash shell
Enterprise Manager 3.0.0 - 3.1.1
2.1.0 - 2.3.0
3.1.1 HF4 Bash shell
DHCP client (dhclient)
FirePass None 7.0.0
6.0.0 - 6.1.0
None
BIG-IQ Cloud 4.0.0 - 4.4.0 4.5.0
4.4.0 HF1
4.3.0 HF2
Bash shell
DHCP client (dhclient)
BIG-IQ Device 4.2.0 - 4.4.0 4.5.0
4.4.0 HF1
4.3.0 HF2
Bash shell
DHCP client (dhclient)
BIG-IQ Security 4.0.0 - 4.4.0 4.5.0
4.4.0 HF1
4.3.0 HF2
Bash shell
DHCP client (dhclient)
LineRate None 2.4.0 - 2.4.1
2.3.0 - 2.3.1
2.2.0 - 2.2.4
1.6.0 - 1.6.3
None
Traffix SDC 4.1.0
4.0.0 - 4.0.5
3.5.1
3.4.1
3.3.2
None Bash shell

Note: The hotfixes listed in the Versions known to be not vulnerable column address all of the aforementioned CVEs.

Recommended Action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

To mitigate this vulnerability, you should only permit access to F5 products over a secure network and limit login access to trusted users. For additional information, refer to the links in the following Supplemental Information section.

DHCP client (dhclient)

To mitigate the DHCP client vulnerability, you should disable DHCP and use a static IP for the management address. Refer to the following steps to disable DHCP for the management address.

Note: The vulnerability window for DHCP is limited to periods when the system is attempting to obtain a new DHCP lease, such as immediately after booting, or when an existing lease expires and needs to be renewed.

Impact of action: You will need an available IP address for the management address.

  1. Log in to the command line of the BIG-IP, BIG-IQ, or Enterprise Manager device, using the self IP address, or log in over a console connection.
  2. Start the config utility by typing the following command:

    config

  3. Follow the prompts to configure a static IP for the management address.

Traffix SDC

The Traffix Signaling Delivery Controller (SDC) does not use mail services (such as Postfix) or web services with enabled CGI, where the Bash shellshock vulnerability is most prevalent. However, F5 still recommends that you upgrade Bash, due to other possible techniques that can be used to exploit this weakness. For information about contacting F5 Technical Support to upgrade Bash on Traffix SDC, refer to SOL14655: Information required when opening a support case for Traffix Signaling Delivery Controller.

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)