CVE-2014-7169
Published: 25 September 2014
Summary
CVE-2014-7169 is a critical-severity OS Command Injection (CWE-78) vulnerability in Ibm Qradar Security Information And Event Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
GNU Bash through version 4.3 bash43-025 contains an incomplete remediation for CVE-2014-6271 that allows it to process trailing strings after malformed function definitions supplied in environment variable values. This flaw affects any Bash instance that evaluates attacker-controlled environment data and is identified under CWE-78 as a command-injection issue with a CVSS 3.1 score of 9.8.
Remote attackers can supply a crafted environment across a privilege boundary, for example through OpenSSH ForceCommand directives, Apache mod_cgi or mod_cgid handlers, or DHCP client scripts, enabling them to write arbitrary files or achieve other unspecified impacts on the target system.
The references list vendor advisories and vulnerability notes but supply no explicit mitigation details within the given inputs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2014-7046
Vulnerability details
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by…
more
vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
- CWE(s)
- KEV Date Added
- 28 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that completes the fix for the bash43-025 environment-variable parsing flaw.
Mandates validation and sanitization of untrusted environment-variable values before they are supplied to Bash across a privilege boundary.
Limits the privileges of processes (sshd ForceCommand, mod_cgi, DHCP clients) that receive attacker-controlled environment data, reducing the impact of successful injection.