This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Security Advisory-Bash Code Injection Vulnerability

  • SA No:Huawei-SA-20141024-01-Bash
  • Initial Release Date: Oct 24, 2014
  • Last Release Date: Mar 10, 2015

This security advisory (SA) describes the impact of 6 Bash vulnerabilities discovered in third-party software (Vulnerability ID: HWPSIRT-2014-0951).

1.OS Command Injections vulnerability (CVE-2014-6271). GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

2.OS Command Injections vulnerability (CVE-2014-6277). GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.

The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277

3.OS Command Injections vulnerability (CVE-2014-6278). GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278

4.OS Command Injections vulnerability (CVE-2014-7169). GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

5.OS Command Injections vulnerability (CVE-2014-7186). The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.

The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186

6.OS Command Injections vulnerability (CVE-2014-7187). Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.
The NVD link is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187

Product Name

Affected Version

Resolved Product and Versions

Agile
 Controller-Campus

V100R001

V100R001C00SPC205

BSC6000

BSC6000 V900R008C01/C15
BSC6000 V901R013C00

Upgrade BSC6900 +
 patch( DOPRALinux
V200R003C08SPC120)

E6000 Blade Server

BH620 V2 V100R002C00

V100R002C00SPC107 or Refer to
 the workaround 1

BH621 V2 V100R001C00

V100R002C00SPC107 or Refer to
 the workaround 1

BH622 V2 V100R001C00

V100R002C00SPC111 or Refer to
 the workaround 1

BH640 V2 V100R001C00

V100R002C00SPC109 or Refer to
 the workaround 1

E6000 Chassis

E6000 Chassis V100R001C00

V100R001C00SPC116 or Refer to
 the workaround 2

E9000 Blade Server

CH121 V100R001C00

V100R001C00SPC200 or Refer to
 the workaround 1

CH140 V100R001C00

V100R001C00SPC130 or Refer to
 the workaround 1

CH220 V100R001C00

V100R001C00SPC200 or Refer to
 the workaround 1

CH221 V100R001C00

V100R001C00SPC200 or Refer to
 the workaround 1

CH222 V100R002C00

V100R002C00SPC200 or Refer to
 the workaround 1

CH240 V100R001C00

V100R001C00SPC200 or Refer to
 the workaround 1

CH242 V100R001C00

V100R001C00SPC200 or Refer to
 the workaround 1

CH242 V3 V100R001C00

V100R001C00SPC130 or Refer to
 the workaround 1

E9000 Chassis

E9000 Chassis V100R001C00

E9000 Chassis
V100R001C00SPC200

eSpace CAD

eSpace CAD V100R001

Patch link for SUSE Linux

eLog

eLog V100R003
eLog V200R003

V100R003C01SPC506
V200R003C10SPC202

eSight Network

eSight Network
V200R003C01/C10

V200R003C10SPC206

eSight UC&C

V100R001C01/C20

Patch link for SUSE Linux

eSpace CC

eSpace CC V100R001
eSpace CC V200R001

Patch link for SUSE Linux

eSpace DCM

eSpace DCM V100R001
eSpace DCM V100R002

Patch link for SUSE Linux

eSpace IVS

eSpace IVS V100R001

Patch link for SUSE Linux

eSpace Meeting

eSpace Meeting V100R001

Patch link for SUSE Linux

eSpace U2980

eSpace U2980 V100R001

V100R001C10SPC102

eSpace U2990

eSpace U2990 V200R001

V200R001C10SPC102

eSpace UC

eSpace UC V100R001/R002
eSpace UC V200R001/R002

Patch link for SUSE Linux

eSpace UMS

eSpace UMS V200R002

Patch link for SUSE Linux

eSpace USM

eSpace USM V100R001

Patch link for SUSE Linux

eSpace V1300N

eSpace V1300N V100R002

Patch link for SUSE Linux

eSpace VTM

eSpace VTM V100R001

Patch link for SUSE Linux

FusionAccess

FusionAccess V100R005C10

FusionAccess
V100R005C10SPC203

FusionCompute

FusionCompute
V100R003C00/C10

FusionCompute
V100R003C10CP6001

FusionManager

FusionManager V100R003C10

FusionManager
V100R003C10CP6001

FusionStorage DSware

FusionStorage V100R003C02SPC100/SPC20
0

FusionStorage DSware
 V100R003C02SPC201

GalaX8800

GalaX8800
 V100R002C00/C01/C85

FusionCompute V100R003C10CP6001

GTSOFTX3000

GTSOFTX3000
 V200R001C01SPC100

GTSOFTX3000
 V200R001C01SPH106

High-Density Server

DH310 V2 V100R001C00

V100R001C00SPC111 or Refer to
the workaround 1

DH320 V2 V100R001C00

V100R001C00SPC107 or Refer to
the workaround 1

DH321 V2 V100R002C00

V100R002C00SPC101 or Refer to
the workaround 1

DH620 V2 V100R001C00

V100R001C00SPC107 or Refer to
the workaround 1

DH621 V2 V100R001C00

V100R001C00SPC107 or Refer to
the workaround 1

DH628 V2 V100R001C00

V100R001C00SPC107 or Refer to
the workaround 1

XH310 V2 V100R001C00

V100R001C00SPC111 or Refer to
the workaround 1

XH320 V2 V100R001C00

V100R001C00SPC111 or Refer to
the workaround 1

XH321 V2 V100R002C00

V100R002C00SPC101 or Refer to
the workaround 1

XH621 V2 V100R001C00

V100R001C00SPC107 or Refer to
the workaround 1

iSOC

iSOC V200R001

iSOC 9000 V200R001C02SPC203

ManageOne

ManageOne
V100R001C01 (BMS)
ManageOne
V100R001C02 (SSMC)
ManageOne
V100R002C00 (SSM)
ManageOne
V100R002C00 (UMP)
ManageOne
 V100R002C10 (SSM)
ManageOne
V100R002C10 (OC)
ManageOne
V100R002C10 (SC)
ManageOne
V100R002C20 (OC)
ManageOne
V100R002C20 (SC)

Patch link for SUSE Linux

OceanStor 18500

OceanStor 18500
 V100R001C00

Patch link

OceanStor 18800

OceanStor 18800
V100R001C00

Patch link

OceanStor 18800F

OceanStor 18800F
 V100R001C00

Patch link

OceanStor 9000

OceanStor 9000
V100R001C01/C10

SUSE Linux 11 SP1

OceanStor 9000E

OceanStor 9000E
V100R001C01
OceanStor 9000E
V100R002C00/C19

SUSE Linux 11 SP1

OceanStor CSE

OceanStor CSE V100R001C01
OceanStor CSE
V100R002C00LHWY01
OceanStor CSE
 V100R002C00LSFM01
OceanStor CSE V100R002C10
OceanStor CSE V100R003C00

SUSE Linux 11 SP1

OceanStor CSS

OceanStor CSS
V100R001C00/C01/C02/C03/C
05
OceanStor CSS V100R002C00

SUSE Patch

OceanStor Dorado

OceanStor Dorado2100
V100R001C00
OceanStor Dorado2100 G2
V100R001C00
OceanStor Dorado5100
 V100R001C00

Patch link

OceanStor HDP

OceanStor HDP3500E
V100R002C00
OceanStor HDP3500E
V100R003C00

SUSE Patch

OceanStor HVS85T

OceanStor HVS85T
 V100R001C00/C99

Patch link

OceanStor HVS88T

OceanStor HVS88T
 V100R001C00

Patch link

OceanStor N8000

OceanStor N8300
V100R002C00
OceanStor N8500 V100R002C00
OceanStor N8500 V200R001C00
OceanStor N8500
V200R001C10

SUSE Patch

OceanStor N8500
V200R001C09

OceanStor N8500
V200R001C09SPC503

OceanStor N8500
V200R001C91

OceanStor N8500
 V200R001C91SPC203

OceanStor S2000

OceanStor S2300
 V100R001C02

Patch link

OceanStor S2200T

OceanStor S2200T
 V100R005C00/C01/C02/C30

Patch link

OceanStor S2600

OceanStor S2600
 V100R001C02
OceanStor S2600
 V100R005C02

Patch link

OceanStor S2600T

OceanStor S2600T
 V100R002C00/C01
OceanStor S2600T
 V100R003C00
OceanStor S2600T
 V100R005C00/C01/C02/C30
OceanStor S2600T
 V200R002C00
OceanStor S2900
V100R002C01

Patch link

OceanStor S5000

OceanStor S5300
 V100R001C01
OceanStor S5300
V100R005C02
OceanStor S5500
V100R001C01
OceanStor S5500
V100R005C02
OceanStor S5600
V100R001C01
OceanStor S5600
V100R005C02

Patch link

OceanStor S5500T

OceanStor S3900
 V100R001C00
OceanStor S3900
 V100R002C00
OceanStor S5500T
V100R001C00/C01
OceanStor S5500T
V100R002C00/C01
OceanStor S5500T V100R003C00
OceanStor S5500T
V100R005C00/C01/C02/C30
OceanStor S5500T
V200R002C00

Patch link

OceanStor S5600T

OceanStor S5600T
V100R001C00/C01
OceanStor S5600T V100R002
 C00/C01
OceanStor S5600T
 V100R003C00
OceanStor S5600T
 V100R005C00/C01/ C02/C30
OceanStor S5600T
 V200R002C00
OceanStor S5900
 V100R001C00
OceanStor S5900
 V100R002C00

Patch link

OceanStor S5800T

OceanStor S5800T
V100R001C00/C01
OceanStor S5800T
V100R002C00/C01
OceanStor S5800T
V100R003C00
OceanStor S5800T
V100R005C00/C01/C02/C30
OceanStor S5800T
V200R001C00
OceanStor S5800T
V200R002C00/C10/C20
OceanStor S6900
V100R001C00
OceanStor S6900
V100R002C00

Patch link

OceanStor S6800E

OceanStor S6800E
V100R005C02

Patch link

OceanStor S6800T

OceanStor S6800T
V100R001C00/C01
OceanStor S6800T
 V100R002C00/C01
OceanStor S6800T
 V100R003C00
OceanStor S6800T
V100R005C00/C01/C02/C30
OceanStor S6800T
V200R002C00

Patch link

OceanStor SNS

OceanStor SNS2120 V100R001C00

Patch link or Refer to the
workaround 3

OceanStor SNS5120 V100R001C00

OceanStor V1000

OceanStor V1500
 V100R001C02
OceanStor V1800
 V100R001C02

Patch link

OceanStor UDS

OceanStor UDS V100R001C00
OceanStor UDS V100R002C01
OceanStor UDS V100R002C00
OceanStor UDS
V100R002C00LVDF0

SUSE Patch

OceanStor VIS6600

OceanStor VIS6600
V100R002C02

Patch link

OceanStor S8100
V100R002C00

Patch link

OceanStor VIS6600T
V200R003C10

VIS6600T V200R003C10SPC100

OceanStor VTL

OceanStor VTL3500 V100R002C01
OceanStor VTL6000
V100R003C01/C02

Cent OS

OceanStor VTL6900
V100R005C00

RedHat Linux Patch

OIC

OIC V100R001C00

iGET Platform
V100R001C00SPC403

OMM Solution

OMM Solution V100R001

Patch link for SUSE Linux

Rack server

RH1288 V2 V100R002C00

V100R002C00SPC116 or Refer to
the workaround 1

RH2285 V2 V100R002C00

V100R002C00SPC116 or Refer to
the workaround 1

RH2285H V2 V100R002C00

V100R002C00SPC112 or Refer to
the workaround 1

RH2288 V2 V100R002C00

V100R002C00SPC118 or Refer to
the workaround 1

RH2288E V2 V100R002C00

V100R002C00SPC102 or Refer to
the workaround 1

RH2288H V2 V100R002C00

V100R002C00SPC116 or Refer to
the workaround 1

RH2485 V2 V100R002C00

V100R002C00SPC503 or Refer to
the workaround 1

RH5885 V2 V100R001C00

Refer to the workaround 1

RH5885 V3 V100R003C00

V100R003C01SPC103 or Refer to
the workaround 1

RH5885H V3 V100R003C00

V100R003C00SPC103 or Refer to
the workaround 1

SIG9800

SIG9800-X16 V300R001C00
SIG9800-X16 V300R002C10

SIG9800
V300R002C10SPH263_GUN_Bash1.
0

UMA

UMA V100R001
UMA V200R001

UMA V200R001C00SPC202

UMA-DB

UMA-DB V100R001C00

UMA-DB
 V100R001C00SPC302

VAE

VAE V100R001C01

Patch link for SUSE Linux

eSpace VCN3000

eSpace VCN3000 V100R001

Patch link for SUSE Linux

DC

DC V100R002

Patch link for SUSE Linux

NVS

NVS V100R002

Patch link for SUSE Linux

eSight

eSight V300R001C00

eSight V300R001C00CP2022

eSight V300R001C10

eSight V300R001C10CP3011

Successful exploitation of these vulnerabilities allows unauthorized disclosure of information, allows unauthorized modification, and allows disruption of service.

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

  1. CVE-2014-6271:

Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

2.CVE-2014-6277:

Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

3.CVE-2014-6278:

Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

4.CVE-2014-7169:

Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

5.CVE-2014-7186:

Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

6.CVE-2014-7187:

Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Temporal Score: 8.3 (E:F/RL:O/RC:C)

For additional details, customers are advised to reference the website: http://packetstormsecurity.com/files/128394/bash-poc.txt

Workarounds:

Take the following measures to avoid the bug:

  1. The following workarounds are only applicable to the products of BH620 V2/ BH621 V2/ BH622 V2/ BH640 V2/ CH121/ CH140/CH220 / CH221/ CH222/ CH240/ CH242/ CH242 V3/ DH310 V2/ DH320 V2/ DH321 V2/ DH620 V2/ DH621 V2/ DH628 V2/ XH310 V2/ XH320 V2/ XH621 V2/ RH1288 V2/ RH2285 V2/ RH2285H V2/ RH2288 V2/ RH2288E V2/ RH2288H V2/ RH2485 V2/ RH5885 V2/ RH5885 V3/ RH5885H V3.

Disable the SSH port-based and Telnet port-based login modes and use the web UI-based login mode. The procedure is as follows:

1)    Access the server management UI through the web browser. Choose Configuration > Service. On the page that is displayed, deselect the SSH and Telnet check boxes and save the configuration.

  1. The following workarounds are only applicable to the product of E6000 Chassis.

Disable the SSH port-based and Telnet port-based login modes and use the web UI-based login mode. The procedure is as follows:

Disable the SSH port-based login mode,

1) Enable the Telnet service to edit the run configuration file in the common/usr/supervise directory. Put service sshd stop above while true in the configuration file.

2)  Reboot the Device.

3)  After device restart, access the server management UI through the web browser. On the page that is displayed, choose Configuration > Service, deselect the Telnet check box, and save the configuration.

3.  The following workarounds are only applicable to the products of OceanStor SNS2120 and OceanStor SNS5120. The procedure is as follows:

1)  Access the server management UI through the web browser. Choose Switch > Service. On the page that is displayed, select only the SNMP and Call Home check boxes, deselect the other check boxes, and save the configuration.


Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm.


These vulnerabilities are disclosed by GNU Bash official website. 

For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.

For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.


2015-03-10 V1.8 UPDATED Update the product fixed version

2014-12-27 V1.7 UPDATED Update the product fixed version

2014-12-24 V1.6 UPDATED Update the product fixed version

2014-11-04 V1.5 UPDATED Update the product fixed version

2014-11-03 V1.4 UPDATED Update the product fixed version

2014-10-29 V1.3 UPDATED Update the product fixed version

2014-10-28 V1.2 UPDATED Update the product fixed version

2014-10-25 V1.1 UPDATED Update the product fixed version

2014-10-24 V1.0 INITIAL

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.


Complete information for providing feedback on security vulnerability of Huawei products, getting support for Huawei security incident response services, and obtaining Huawei security vulnerability information, is available on Huawei's worldwide website at http://www.huawei.com/en/security/psirt/.