Bug 1000396 - (CVE-2016-0634) VUL-1: CVE-2016-0634: bash: Arbitrary code execution via malicious hostname
(CVE-2016-0634)
VUL-1: CVE-2016-0634: bash: Arbitrary code execution via malicious hostname
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Dr. Werner Fink
Security Team bot
https://smash.suse.de/issue/172691/
CVSSv2:SUSE:CVE-2016-0634:5.1:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-22 10:55 UTC by Victor Pereira
Modified: 2020-06-14 05:10 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
prompt-string-comsub.patch (3.25 KB, text/plain)
2016-09-22 11:49 UTC, Dr. Werner Fink
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-09-22 10:55:04 UTC
rh#1377613

A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string.

upstream patch: http://openwall.com/lists/oss-security/2016/09/16/18


References:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
https://bugzilla.redhat.com/show_bug.cgi?id=1377613
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0634
http://seclists.org/oss-sec/2016/q3/528
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0634.html
Comment 1 Dr. Werner Fink 2016-09-22 11:25:06 UTC
Hmmm ... from https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025

 Exploit Demo :

 1) edit "/etc/hosts" to this :
  127.0.0.1 localhost
  127.0.1.1 `ls>bug`
 2) edit "/etc/hostname" to this :
  `ls>bug`
 3) reboot
 4) start a terminal
 5) Now a file with the name "bug" will in your home folder !
 6) Change the directory to Downloads with "cd Downloads/"
 7) Now a file with the name "bug" is in your Downloads !
 8) Remove the file with "rm bug"
 9) The file "bug" is still there !

... why should root edit /etc/hostname to fool bash user if he is able to attack every person on the system?
Comment 2 Dr. Werner Fink 2016-09-22 11:49:52 UTC
Created attachment 693621 [details]
prompt-string-comsub.patch

The original patch from Chet
Comment 3 Dr. Werner Fink 2016-09-22 12:00:34 UTC
The only problem I see are foreign DHCP server ... should this trigger an update for openSUSE 13.2, Leap 42.1 and 42.2 with SLES 12 and SLES12 SP2?
Comment 4 Swamp Workflow Management 2016-09-22 22:01:23 UTC
bugbot adjusting priority
Comment 5 Johannes Segitz 2016-09-28 11:07:51 UTC
(In reply to Dr. Werner Fink from comment #3)
Maybe some other vectors using namespaces might be possible, but DHCP is probably the biggest risk.

We track this as VUL-1 for now, so we don't need submissions right away. But feel free to submit, we can stage them and you'll get them as a baseline upon the next mbranch
Comment 8 Marcus Meissner 2016-10-10 09:04:52 UTC
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-047
Comment 11 Bernhard Wiedemann 2016-10-24 16:00:37 UTC
This is an autogenerated message for OBS integration:
This bug (1000396) was mentioned in
https://build.opensuse.org/request/show/437124 13.2 / bash
Comment 14 Swamp Workflow Management 2016-11-03 14:10:24 UTC
openSUSE-SU-2016:2715-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000396,1001299,976776
CVE References: CVE-2016-0634,CVE-2016-7543
Sources used:
openSUSE 13.2 (src):    bash-4.2-75.5.1
Comment 15 Swamp Workflow Management 2016-11-22 15:03:33 UTC
SUSE-SU-2016:2872-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000396,1001299,1001759,898812,898884
CVE References: CVE-2014-6277,CVE-2014-6278,CVE-2016-0634,CVE-2016-7543
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    bash-4.2-82.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    bash-4.2-82.1
SUSE Linux Enterprise Server 12-SP1 (src):    bash-4.2-82.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    bash-4.2-82.1
Comment 16 Sebastian Krahmer 2016-11-28 09:50:17 UTC
released
Comment 17 Swamp Workflow Management 2016-12-01 14:07:18 UTC
openSUSE-SU-2016:2961-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000396,1001299,1001759,898812,898884
CVE References: CVE-2014-6277,CVE-2014-6278,CVE-2016-0634,CVE-2016-7543
Sources used:
openSUSE Leap 42.1 (src):    bash-4.2-81.1
Comment 18 Swamp Workflow Management 2017-01-27 21:08:27 UTC
SUSE-SU-2017:0302-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1000396,1001299,959755,971410
CVE References: CVE-2016-0634,CVE-2016-7543
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    bash-3.2-147.29.1
SUSE Linux Enterprise Server 11-SP4 (src):    bash-3.2-147.29.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    bash-3.2-147.29.1
Comment 22 Swamp Workflow Management 2018-05-23 19:26:28 UTC
SUSE-SU-2018:1398-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000396,1001299,1086247
CVE References: CVE-2016-0634,CVE-2016-7543
Sources used:
SUSE OpenStack Cloud 7 (src):    bash-4.3-83.10.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    bash-4.3-83.10.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    bash-4.3-83.10.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    bash-4.3-83.10.1
SUSE Linux Enterprise Server 12-SP3 (src):    bash-4.3-83.10.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    bash-4.3-83.10.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    bash-4.3-83.10.1
SUSE Enterprise Storage 4 (src):    bash-4.3-83.10.1
SUSE CaaS Platform ALL (src):    bash-4.3-83.10.1
OpenStack Cloud Magnum Orchestration 7 (src):    bash-4.3-83.10.1
Comment 23 Swamp Workflow Management 2018-05-25 09:31:16 UTC
openSUSE-SU-2018:1419-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000396,1001299,1086247
CVE References: CVE-2016-0634,CVE-2016-7543
Sources used:
openSUSE Leap 42.3 (src):    bash-4.3-83.6.1
Comment 24 Marcus Meissner 2018-05-25 09:58:51 UTC
released
Comment 25 Swamp Workflow Management 2018-10-18 17:01:38 UTC
SUSE-SU-2018:1398-2: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1000396,1001299,1086247
CVE References: CVE-2016-0634,CVE-2016-7543
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    bash-4.3-83.10.1