Hi
Any ideas on this at all ?
-Original Message-
From: Traiano Welcome
Sent: Saturday, October 25, 2014 4:52 PM
To: openvas-discuss@wald.intevation.org
Subject: False Positives: GNU Bash Environment Variable Handling Shell RCE
Vulnerability (CVE-2014-6277)
Hi All
I'm currently testing for false positives in openvas NVTs, and one I get
frequently is for the shellshocker vulnerability (CVE-2014-6277). However,
when I apply the manual vulnerability confirmation checks against bash I get a
confirmation that the vulnerability does not in fact exist, for example:
---
[root@lol-dev-hdpmn munin]# env 'x=() { :;}; echo vulnerable'
'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c echo test
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test
---
Is this an issue with the NVT, or OpenVAS scanning mechanism? What approach
could I use to debug this further?
Here are some details of the target system and the scan report from OpenVAS GSA:
Linux distro: CentOS release 6.5 (Final) Bash version: GNU bash, version 4.1.2
Scan NVT details:
---
Name: GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) -
04
Config:
Family: General
OID:1.3.6.1.4.1.25623.1.0.802086
Version:$Revision: 739 $
Notes: 0
Overrides: 0
Summary
This host is installed with GNU Bash Shell and is prone to remote command
execution vulnerability.
Affected Software/OS
GNU Bash through 4.3 bash43-026
Vulnerability Scoring
CVSS base:
10.0
CVSS base vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Vulnerability Insight
GNU bash contains a flaw that is triggered when evaluating environment
variables passed from another environment. After processing a function
definition, bash continues to process trailing strings. Incomplete fix to
CVE-2014-7169, CVE-2014-6271 Vulnerability Detection Method
Login to the target machine with ssh credentials and check its possible to
execute the commands via GNU bash shell.
Impact
Successful exploitation will allow remote or local attackers to inject shell
commmands, allowing local privilege escalation or remote command execution
depending on the application vector.
Impact Level: System/Application
Solution
No solution or patch is available as of 8th October, 2014. Information
regarding this issue will be updated once the solution details are available,
For updates contact vendor or refer to http://www.gnu.org/software/bash
References
CVE:CVE-2014-6277
BID:70165
CERT: DFN-CERT-2014-1258
Other: http://osvdb.com/112158
https://shellshocker.net
http://lcamtuf.blogspot.in/2014/09/bash-bug-apply-unofficial-patch-now.html
---
I've used a set of tests from redhat's site to confirm if the target system is
vulnerable:
https://access.redhat.com/articles/1200223
Thanks in advance,
Traiano
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
