PAN-SA-2014-0004 Bash Shell remote code execution (CVE-2014-6271, CVE-2014-7169)
Description
Palo Alto Networks has become aware of a remote code execution vulnerability in the Bash shell utility. This vulnerability (CVE-2014-6271) allows for remote code execution through multiple vectors due to the way Bash is often used on linux systems for processing commands. Additional information can be found here: http://seclists.org/oss-sec/2014/q3/650
Successful attack requires that a user be able to add environmental variables to the bash environment. This is possible only for PAN-OS users that successfully authenticate to PAN-OS via SSH. Exploitation does not directly result in root access to the device, as injected commands are run with the OS privileges of the logged in user. Critical PAN-OS data is only writeable by the root user.
This issue affects This issue affects PAN-OS and Panorama 5.0.14 and earlier; 5.1.9 and earlier; 6.0.5 and earlier; and 6.1.0 and earlier.
CVE | Summary |
---|---|
CVE-2014-6271 | GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. |
CVE-2014-7169 | GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. |
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 6.1 | <= 6.1.0 | >= 6.1.1. |
PAN-OS 6.0 | <= 6.0.5 | >= 6.0.6 |
PAN-OS 5.1 | <= 5.1.9 | >= 5.1.10 |
PAN-OS 5.0 | <= 5.0.14 | >= 5.0.15 |
Severity: NONE
CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N)
Weakness Type
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Solution
PAN-OS and Panorama 5.0.15; PAN-OS and Panorama 5.1.10; PAN-OS and Panorama 6.0.6; PAN-OS and Panorama 6.1.1.
Workarounds and Mitigations
This attack is mitigated by the fact that successful attack can only be performed by authenticated ssh PAN-OS users. As an additional mitigation, administrators can disable SSH access on any/all management interfaces configured on the device.