⚠ Actively exploited
Added to CISA KEV on 2022-01-28. Federal agencies required to patch by 2022-07-28. Required action: Apply updates per vendor instructions..

CVE-2014-6271

CWE-78OS Command InjectionCWE-119Buffer Overflow77 documents20 sources
Severity
9.8CRITICAL
EPSS
94.2%
top 0.08%
CISA KEV
KEV
Added 2022-01-28
Due 2022-07-28
Exploit
Exploited in wild
Active exploitation observed
Affected products
74
Apple MAC OS XArista EOSCheckpoint Security Gateway+71 more
Timeline
PublishedSep 24
KEV addedJan 28
Latest updateMay 13
KEV dueJul 28
CISA Required Action: Apply updates per vendor instructions.

Description

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "Sh

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages62 packages

Debianbash< 4.3-9.1+3
NVDgnu/bash4.3
NVDredhat/enterprise_linux_server5.0, 6.0, 7.0+2

Also affects: Debian Linux 7.0, Ubuntu Linux 10.04, 12.04, 14.04, Enterprise Linux 4.0, 5.0, 6.0, 7.0, 5.9, 6.4, 6.5, 7.3, 7.4, 7.5, 7.6, 7.7, 5.0_ppc, 5.9_ppc, 6.0_ppc64, 6.4_ppc64, 7.0_ppc64, 6.5_ppc64, 7.3_ppc64, 7.4_ppc64, 7.5_ppc64, 7.6_ppc64, 7.7_ppc64, 5.6, 6.2

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
GHSA
GHSA-6hfc-grwp-2p9c: GNU Bash through 42022-05-13
CVEList
CVE-2014-6271: GNU Bash through 42014-09-24
OSV
CVE-2014-6271: GNU Bash through 42014-09-24
VulnCheck
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability2014

💥Exploits & PoCs

23
Exploit-DB
Qmail SMTP 1.03 - Bash Environment Variable Injection2020-07-08
Exploit-DB
Qmail SMTP - Bash Environment Variable Injection (Metasploit)2017-10-02
Exploit-DB
RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection2016-12-18
Exploit-DB
TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection2016-10-21
Exploit-DB
IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)2016-06-10

🔍Detection Rules

26
Suricata
ET EXPLOIT VisualDoor Sonicwall SSL VPN Exploit Attempt2021-01-25
Suricata
ET WEB_SERVER Possible CVE-2014-6271 Attempt2015-11-04
Suricata
ET EXPLOIT QNAP Shellshock script retrieval2014-12-10
Suricata
ET EXPLOIT QNAP Shellshock CVE-2014-62712014-12-10
Suricata
ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS2014-10-15

📋Vendor Advisories

8
CISA
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability2022-01-28
CISA
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability2022-01-28
Red Hat
bash: incorrect parsing of function definitions with nested command substitutions2014-09-29
Red Hat
bash: uninitialized here document closing delimiter pointer use2014-09-27
Cisco
GNU Bash Environment Variable Command Injection Vulnerability2014-09-26

🕵️Threat Intelligence

9
Talos
Shellshock Exploits in the Wild2014-09-30
Talos
Shellshock Exploits in the Wild2014-09-30
Talos
Another Major Vulnerability Bashes Systems2014-09-25
Unit42
Palo Alto Networks Addresses Bash Vulnerability Shellshock: Mitigation for CVE-2014-62712014-09-25
Talos
Another Major Vulnerability Bashes Systems2014-09-25

📄Research Papers

1
CTF
010. shellshock / README

💬Community

3
Bugzilla
CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)2014-09-25
Bugzilla
CVE-2014-7169 bash: Code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271) [fedora-all]2014-09-25
Bugzilla
CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands2014-09-15