Bug 1691774 (CVE-2019-9924) - CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells
Summary: CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9924
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1691775 1693181 1829558 1837053 1837054
Blocks: 1691776
TreeView+ depends on / blocked
 
Reported: 2019-03-22 13:48 UTC by Dhananjay Arunesh
Modified: 2021-02-16 22:12 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-31 22:33:46 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1113 0 None None None 2020-03-31 19:23:50 UTC
Red Hat Product Errata RHSA-2020:3474 0 None None None 2020-08-18 12:49:41 UTC
Red Hat Product Errata RHSA-2020:3592 0 None None None 2020-09-01 16:31:27 UTC
Red Hat Product Errata RHSA-2020:3803 0 None None None 2020-09-22 11:38:13 UTC

Description Dhananjay Arunesh 2019-03-22 13:48:59 UTC 
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Reference:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441

Upstream commit:
http://git.savannah.gnu.org/cgit/bash.git/commit/CHANGES?h=bash-4.4-testing&id=955543877583837c85470f7fb8a97b7aa8d45e6c
Comment 1 Dhananjay Arunesh 2019-03-22 13:49:55 UTC 
Created bash tracking bugs for this issue:

Affects: fedora-all [bug 1691775]
Comment 4 Riccardo Schirone 2019-03-27 09:57:40 UTC 
An attacker can execute binaries with / in their names even when bash is used as a Restricted Shell, by abusing the environment variable BASH_CMDS.
Comment 12 Mark Denihan 2020-01-27 14:56:48 UTC 
Is there any plan to have this moderate issue patched on RHEL7? If so is there any ETA on that patch's availability?
Comment 13 errata-xmlrpc 2020-03-31 19:23:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1113 https://access.redhat.com/errata/RHSA-2020:1113
Comment 14 Product Security DevOps Team 2020-03-31 22:33:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9924
Comment 16 Riccardo Schirone 2020-05-04 08:58:06 UTC 
Statement:

Impact of the flaw set to Moderate as restricted shell shall not be used as a security feature alone, as it is very hard to configure it properly and several bypasses exist for it.

This issue did not affect the versions of bash as shipped with Red Hat Enterprise Linux 5 as they did not include support for BASH_CMDS environment variable.

Red Hat Virtualization Hypervisor and Management Appliance were affected by this issue, but do not use the restricted bash shell in a way that would be exposed to attackers.  Future updates may address this issue.
Comment 19 errata-xmlrpc 2020-08-18 12:49:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3474 https://access.redhat.com/errata/RHSA-2020:3474
Comment 20 errata-xmlrpc 2020-09-01 16:31:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3592 https://access.redhat.com/errata/RHSA-2020:3592
Comment 22 errata-xmlrpc 2020-09-22 11:38:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions

Via RHSA-2020:3803 https://access.redhat.com/errata/RHSA-2020:3803
Note You need to log in before you can comment on or make changes to this bug.