Security Advisory-Bash Code Injection Vulnerability
- SA No:Huawei-SA-20141024-01-Bash
- Initial Release Date: Oct 24, 2014
- Last Release Date: Mar 10, 2015
This security advisory (SA) describes the impact of 6 Bash vulnerabilities discovered in third-party software (Vulnerability ID: HWPSIRT-2014-0951).
1.OS Command Injections vulnerability (CVE-2014-6271). GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
2.OS Command Injections vulnerability (CVE-2014-6277). GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277
3.OS Command Injections vulnerability (CVE-2014-6278). GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278
4.OS Command Injections vulnerability (CVE-2014-7169). GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
5.OS Command Injections vulnerability (CVE-2014-7186). The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
6.OS Command Injections vulnerability (CVE-2014-7187). Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187
|
Product Name |
Affected Version |
Resolved Product and Versions |
|
V100R001 |
V100R001C00SPC205 |
|
|
BSC6000 |
BSC6000 V900R008C01/C15 |
Upgrade BSC6900 + |
|
E6000 Blade Server |
BH620 V2 V100R002C00 |
V100R002C00SPC107 or Refer to |
|
BH621 V2 V100R001C00 |
V100R002C00SPC107 or Refer to |
|
|
BH622 V2 V100R001C00 |
V100R002C00SPC111 or Refer to |
|
|
BH640 V2 V100R001C00 |
V100R002C00SPC109 or Refer to |
|
|
E6000 Chassis |
E6000 Chassis V100R001C00 |
V100R001C00SPC116 or Refer to |
|
E9000 Blade Server |
CH121 V100R001C00 |
V100R001C00SPC200 or Refer to |
|
CH140 V100R001C00 |
V100R001C00SPC130 or Refer to |
|
|
CH220 V100R001C00 |
V100R001C00SPC200 or Refer to |
|
|
CH221 V100R001C00 |
V100R001C00SPC200 or Refer to |
|
|
CH222 V100R002C00 |
V100R002C00SPC200 or Refer to |
|
|
CH240 V100R001C00 |
V100R001C00SPC200 or Refer to |
|
|
CH242 V100R001C00 |
V100R001C00SPC200 or Refer to |
|
|
CH242 V3 V100R001C00 |
V100R001C00SPC130 or Refer to |
|
|
E9000 Chassis |
E9000 Chassis V100R001C00 |
E9000 Chassis |
|
eSpace CAD |
eSpace CAD V100R001 |
Patch link for SUSE Linux |
|
eLog |
eLog V100R003 |
V100R003C01SPC506 |
|
eSight Network |
eSight Network |
V200R003C10SPC206 |
|
eSight UC&C |
V100R001C01/C20 |
Patch link for SUSE Linux |
|
eSpace CC |
eSpace CC V100R001 |
Patch link for SUSE Linux |
|
eSpace DCM |
eSpace DCM V100R001 |
Patch link for SUSE Linux |
|
eSpace IVS |
eSpace IVS V100R001 |
Patch link for SUSE Linux |
|
eSpace Meeting |
eSpace Meeting V100R001 |
Patch link for SUSE Linux |
|
eSpace U2980 |
eSpace U2980 V100R001 |
V100R001C10SPC102 |
|
eSpace U2990 |
eSpace U2990 V200R001 |
V200R001C10SPC102 |
|
eSpace UC |
eSpace UC V100R001/R002 |
Patch link for SUSE Linux |
|
eSpace UMS |
eSpace UMS V200R002 |
Patch link for SUSE Linux |
|
eSpace USM |
eSpace USM V100R001 |
Patch link for SUSE Linux |
|
eSpace V1300N |
eSpace V1300N V100R002 |
Patch link for SUSE Linux |
|
eSpace VTM |
eSpace VTM V100R001 |
Patch link for SUSE Linux |
|
FusionAccess |
FusionAccess V100R005C10 |
FusionAccess |
|
FusionCompute |
FusionCompute |
FusionCompute |
|
FusionManager |
FusionManager V100R003C10 |
FusionManager |
|
FusionStorage DSware |
FusionStorage V100R003C02SPC100/SPC20 |
FusionStorage DSware |
|
GalaX8800 |
GalaX8800 |
FusionCompute V100R003C10CP6001 |
|
GTSOFTX3000 |
GTSOFTX3000 |
GTSOFTX3000 |
|
High-Density Server |
DH310 V2 V100R001C00 |
V100R001C00SPC111 or Refer to |
|
DH320 V2 V100R001C00 |
V100R001C00SPC107 or Refer to |
|
|
DH321 V2 V100R002C00 |
V100R002C00SPC101 or Refer to |
|
|
DH620 V2 V100R001C00 |
V100R001C00SPC107 or Refer to |
|
|
DH621 V2 V100R001C00 |
V100R001C00SPC107 or Refer to |
|
|
DH628 V2 V100R001C00 |
V100R001C00SPC107 or Refer to |
|
|
XH310 V2 V100R001C00 |
V100R001C00SPC111 or Refer to |
|
|
XH320 V2 V100R001C00 |
V100R001C00SPC111 or Refer to |
|
|
XH321 V2 V100R002C00 |
V100R002C00SPC101 or Refer to |
|
|
XH621 V2 V100R001C00 |
V100R001C00SPC107 or Refer to |
|
|
iSOC |
iSOC V200R001 |
iSOC 9000 V200R001C02SPC203 |
|
ManageOne |
ManageOne |
Patch link for SUSE Linux |
|
OceanStor 18500 |
OceanStor 18500 |
Patch link |
|
OceanStor 18800 |
OceanStor 18800 |
Patch link |
|
OceanStor 18800F |
OceanStor 18800F |
Patch link |
|
OceanStor 9000 |
OceanStor 9000 |
SUSE Linux 11 SP1 |
|
OceanStor 9000E |
OceanStor 9000E |
SUSE Linux 11 SP1 |
|
OceanStor CSE |
OceanStor CSE V100R001C01 |
SUSE Linux 11 SP1 |
|
OceanStor CSS |
OceanStor CSS |
SUSE Patch |
|
OceanStor Dorado |
OceanStor Dorado2100 |
Patch link |
|
OceanStor HDP |
OceanStor HDP3500E |
SUSE Patch |
|
OceanStor HVS85T |
OceanStor HVS85T |
Patch link |
|
OceanStor HVS88T |
OceanStor HVS88T |
Patch link |
|
OceanStor N8000 |
OceanStor N8300 |
SUSE Patch |
|
OceanStor N8500 |
OceanStor N8500 |
|
|
OceanStor N8500 |
OceanStor N8500 |
|
|
OceanStor S2000 |
OceanStor S2300 |
Patch link |
|
OceanStor S2200T |
OceanStor S2200T |
Patch link |
|
OceanStor S2600 |
OceanStor S2600 |
Patch link |
|
OceanStor S2600T |
OceanStor S2600T |
Patch link |
|
OceanStor S5000 |
OceanStor S5300 |
Patch link |
|
OceanStor S5500T |
OceanStor S3900 |
Patch link |
|
OceanStor S5600T |
OceanStor S5600T |
Patch link |
|
OceanStor S5800T |
OceanStor S5800T |
Patch link |
|
OceanStor S6800E |
OceanStor S6800E |
Patch link |
|
OceanStor S6800T |
OceanStor S6800T |
Patch link |
|
OceanStor SNS |
OceanStor SNS2120 V100R001C00 |
Patch link or Refer to the |
|
OceanStor SNS5120 V100R001C00 |
||
|
OceanStor V1000 |
OceanStor V1500 |
Patch link |
|
OceanStor UDS |
OceanStor UDS V100R001C00 |
SUSE Patch |
|
OceanStor VIS6600 |
OceanStor VIS6600 |
Patch link |
|
OceanStor S8100 |
Patch link |
|
|
OceanStor VIS6600T |
VIS6600T V200R003C10SPC100 |
|
|
OceanStor VTL |
OceanStor VTL3500 V100R002C01 |
Cent OS |
|
OceanStor VTL6900 |
RedHat Linux Patch |
|
|
OIC |
OIC V100R001C00 |
iGET Platform |
|
OMM Solution |
OMM Solution V100R001 |
Patch link for SUSE Linux |
|
Rack server |
RH1288 V2 V100R002C00 |
V100R002C00SPC116 or Refer to |
|
RH2285 V2 V100R002C00 |
V100R002C00SPC116 or Refer to |
|
|
RH2285H V2 V100R002C00 |
V100R002C00SPC112 or Refer to |
|
|
RH2288 V2 V100R002C00 |
V100R002C00SPC118 or Refer to |
|
|
RH2288E V2 V100R002C00 |
V100R002C00SPC102 or Refer to |
|
|
RH2288H V2 V100R002C00 |
V100R002C00SPC116 or Refer to |
|
|
RH2485 V2 V100R002C00 |
V100R002C00SPC503 or Refer to |
|
|
RH5885 V2 V100R001C00 |
Refer to the workaround 1 |
|
|
RH5885 V3 V100R003C00 |
V100R003C01SPC103 or Refer to |
|
|
RH5885H V3 V100R003C00 |
V100R003C00SPC103 or Refer to |
|
|
SIG9800 |
SIG9800-X16 V300R001C00 |
SIG9800 |
|
UMA |
UMA V100R001 |
UMA V200R001C00SPC202 |
|
UMA-DB |
UMA-DB V100R001C00 |
UMA-DB |
|
VAE |
VAE V100R001C01 |
Patch link for SUSE Linux |
|
eSpace VCN3000 |
eSpace VCN3000 V100R001 |
Patch link for SUSE Linux |
|
DC |
DC V100R002 |
Patch link for SUSE Linux |
|
NVS |
NVS V100R002 |
Patch link for SUSE Linux |
|
eSight |
eSight V300R001C00 |
eSight V300R001C00CP2022 |
|
eSight V300R001C10 |
eSight V300R001C10CP3011 |
Successful exploitation of these vulnerabilities allows unauthorized disclosure of information, allows unauthorized modification, and allows disruption of service.
The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
- CVE-2014-6271:
Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Temporal Score: 8.3 (E:F/RL:O/RC:C)
2.CVE-2014-6277:
Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Temporal Score: 8.3 (E:F/RL:O/RC:C)
3.CVE-2014-6278:
Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Temporal Score: 8.3 (E:F/RL:O/RC:C)
4.CVE-2014-7169:
Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Temporal Score: 8.3 (E:F/RL:O/RC:C)
5.CVE-2014-7186:
Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Temporal Score: 8.3 (E:F/RL:O/RC:C)
6.CVE-2014-7187:
Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Temporal Score: 8.3 (E:F/RL:O/RC:C)
For additional details, customers are advised to reference the website: http://packetstormsecurity.com/files/128394/bash-poc.txt
Workarounds:
Take the following measures to avoid the bug:
- The following workarounds are only applicable to the products of BH620 V2/ BH621 V2/ BH622 V2/ BH640 V2/ CH121/ CH140/CH220 / CH221/ CH222/ CH240/ CH242/ CH242 V3/ DH310 V2/ DH320 V2/ DH321 V2/ DH620 V2/ DH621 V2/ DH628 V2/ XH310 V2/ XH320 V2/ XH621 V2/ RH1288 V2/ RH2285 V2/ RH2285H V2/ RH2288 V2/ RH2288E V2/ RH2288H V2/ RH2485 V2/ RH5885 V2/ RH5885 V3/ RH5885H V3.
Disable the SSH port-based and Telnet port-based login modes and use the web UI-based login mode. The procedure is as follows:
1) Access the server management UI through the web browser. Choose Configuration > Service. On the page that is displayed, deselect the SSH and Telnet check boxes and save the configuration.
- The following workarounds are only applicable to the product of E6000 Chassis.
Disable the SSH port-based and Telnet port-based login modes and use the web UI-based login mode. The procedure is as follows:
Disable the SSH port-based login mode,
1) Enable the Telnet service to edit the run configuration file in the common/usr/supervise directory. Put service sshd stop above while true in the configuration file.
2) Reboot the Device.
3) After device restart, access the server management UI through the web browser. On the page that is displayed, choose Configuration > Service, deselect the Telnet check box, and save the configuration.
3. The following workarounds are only applicable to the products of OceanStor SNS2120 and OceanStor SNS5120. The procedure is as follows:
1) Access the server management UI through the web browser. Choose Switch > Service. On the page that is displayed, select only the SNMP and Call Home check boxes, deselect the other check boxes, and save the configuration.
These vulnerabilities are disclosed by GNU Bash official website.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2015-03-10 V1.8 UPDATED Update the product fixed version
2014-12-27 V1.7 UPDATED Update the product fixed version
2014-12-24 V1.6 UPDATED Update the product fixed version
2014-11-04 V1.5 UPDATED Update the product fixed version
2014-11-03 V1.4 UPDATED Update the product fixed version
2014-10-29 V1.3 UPDATED Update the product fixed version
2014-10-28 V1.2 UPDATED Update the product fixed version
2014-10-25 V1.1 UPDATED Update the product fixed version
2014-10-24 V1.0 INITIAL
None
