Bug 1691774 (CVE-2019-9924) - CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells
Summary: CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells
Keywords:
Status: NEW
Alias: CVE-2019-9924
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1693181 1691775
Blocks: 1691776
TreeView+ depends on / blocked
 
Reported: 2019-03-22 13:48 UTC by Dhananjay Arunesh
Modified: 2020-02-04 11:48 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-03-22 13:48:59 UTC
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Reference:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441

Upstream commit:
http://git.savannah.gnu.org/cgit/bash.git/commit/CHANGES?h=bash-4.4-testing&id=955543877583837c85470f7fb8a97b7aa8d45e6c

Comment 1 Dhananjay Arunesh 2019-03-22 13:49:55 UTC
Created bash tracking bugs for this issue:

Affects: fedora-all [bug 1691775]

Comment 4 Riccardo Schirone 2019-03-27 09:57:40 UTC
An attacker can execute binaries with / in their names even when bash is used as a Restricted Shell, by abusing the environment variable BASH_CMDS.

Comment 9 Doran Moppert 2019-04-01 05:49:37 UTC
Statement:

This issue did not affect the versions of bash as shipped with Red Hat Enterprise Linux 5 as they did not include support for BASH_CMDS environment variable.

Red Hat Virtualization Hypervisor and Management Appliance were affected by this issue, but do not use the restricted bash shell in a way that would be exposed to attackers.  Future updates may address this issue.

Comment 12 Mark Denihan 2020-01-27 14:56:48 UTC
Is there any plan to have this moderate issue patched on RHEL7? If so is there any ETA on that patch's availability?


Note You need to log in before you can comment on or make changes to this bug.