Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2015-09818

Опубликовано: 30 мар. 2015
Источник: fstec
CVSS2: 10
EPSS Критический

Описание

Множественные уязвимости интерпретатора командной строки bash операционной системы Альт Линукс СПТ, вызванные ошибками обработки входных данных при выполнении синтаксического анализа кода. Эксплуатация уязвимости позволяет злоумышленнику при очередном запуске интерпретатора командной строки выполнить произвольные команды с правами текущего пользователя, путем предварительного создания специально сформированной переменной окружения

Вендор

АО «ИВК»

Наименование ПО

Альт Линукс СПТ

Версия ПО

6.0 (Альт Линукс СПТ)

Тип ПО

Операционная система

Операционные системы и аппаратные платформы

АО «ИВК» Альт Линукс СПТ .
АО «ИВК» Альт Линукс СПТ .

Уровень опасности уязвимости

Критический уровень опасности (базовая оценка CVSS 2.0 составляет 10)

Возможные меры по устранению уязвимости

Обновление программного обеспечения с комплекта сертифицированных дисков и документации операционной системы Альт Линукс СПТ 6.0 (КИТ), изготовленных ООО «ЦРИОИТ»

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Существует в открытом доступе

Информация об устранении

Уязвимость устранена

Ссылки на источники

EPSS

Процентиль: 100%
0.9422
Критический

10 Critical

CVSS2

Связанные уязвимости

CVSS3: 9.8
ubuntu
почти 11 лет назад

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

redhat
почти 11 лет назад

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

CVSS3: 9.8
nvd
почти 11 лет назад

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

CVSS3: 9.8
debian
почти 11 лет назад

GNU Bash through 4.3 processes trailing strings after function definit ...

CVSS3: 9.8
github
около 3 лет назад

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

EPSS

Процентиль: 100%
0.9422
Критический

10 Critical

CVSS2