Palo Alto Networks Security Advisories / PAN-SA-2014-0004

PAN-SA-2014-0004 Bash Shell remote code execution (CVE-2014-6271, CVE-2014-7169)

047910
Severity 0 · NONE
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact NONE

Description

Palo Alto Networks has become aware of a remote code execution vulnerability in the Bash shell utility. This vulnerability (CVE-2014-6271) allows for remote code execution through multiple vectors due to the way Bash is often used on linux systems for processing commands. Additional information can be found here: http://seclists.org/oss-sec/2014/q3/650

Successful attack requires that a user be able to add environmental variables to the bash environment. This is possible only for PAN-OS users that successfully authenticate to PAN-OS via SSH. Exploitation does not directly result in root access to the device, as injected commands are run with the OS privileges of the logged in user. Critical PAN-OS data is only writeable by the root user.

This issue affects This issue affects PAN-OS and Panorama 5.0.14 and earlier; 5.1.9 and earlier; 6.0.5 and earlier; and 6.1.0 and earlier.

CVECVSSSummary
CVE-2014-62719.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
CVE-2014-716910.0 AV:N/AC:L/Au:N/C:C/I:C/A:CGNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

Product Status

VersionsAffectedUnaffected
PAN-OS 6.1<= 6.1.0>= 6.1.1.
PAN-OS 6.0<= 6.0.5>= 6.0.6
PAN-OS 5.1<= 5.1.9>= 5.1.10
PAN-OS 5.0<= 5.0.14>= 5.0.15

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N)

Weakness Type

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Solution

PAN-OS and Panorama 5.0.15; PAN-OS and Panorama 5.1.10; PAN-OS and Panorama 6.0.6; PAN-OS and Panorama 6.1.1.

Workarounds and Mitigations

This attack is mitigated by the fact that successful attack can only be performed by authenticated ssh PAN-OS users. As an additional mitigation, administrators can disable SSH access on any/all management interfaces configured on the device.

© 2020 Palo Alto Networks, Inc. All rights reserved.