PSIRT Advisories

Remote Exploit Vulnerability in Bash - (Shellshock)

Summary

An exploit has been discovered in GNU Bourne Again Shell (Bash) versions 1.14.0 through 4.3.  This vulnerability may allow an attacker to remotely execute arbitrary code by crafting special code within an environment variable string.  Under certain circumstances, exploitation of this vulnerability can result in unwanted code executing on the vulnerable system.


Update: Mon Sep 29 - This advisory has been updated to include the Bash exploits reported in CVE-2014-6277 and CVE-2014-6273. The updates of affected products will include updates that address all four CVE's reported.
Additional updates will follow.

Update June 1st 2021: The list of impacted products has been updated to include FortiWLC. 

Impact Detail

An exploit has been discovered in GNU Bourne Again Shell (Bash) versions 1.14.0 through 4.3. This vulnerability may allow an attacker to remotely execute arbitrary code by crafting special code within an environment variable string.Under certain circumstances, exploitation of this vulnerability can result in unwanted code executing on the vulnerable system.Update: Mon Sep 29 - this advisory has been updated to include the Bash exploits reported in CVE-2014-6277 and CVE-2014-6273. The updates of affected products will include updates that address all four CVE's reported. Additional updates will follow.

Affected Products

FortiAnalyzer (versions 5.0.X and 5.2.0) - authentication required to exploit
FortiAuthenticator - authentication required to exploit
FortiDB versions below 5.1.5.
FortiManager (versions 4.3, 5.0.X and 5.2.0) - authentication required to exploit
AscenLink v7.X
Only 32-bit FortiWLC Wireless Controllers are impacted.
FortiWLC versions 8.5.3 and below. 
FortiWLC version 8.6.0.

Solutions

FortiAnalyzer
FortiAnalyzer v5.0.8 is now available.
FortiAnalyzer v5.2.1 is now available.
FortiAuthenticator
A patch for FortiAuthenticator v3.1.2 is now available.
FortiDB
A patch for FortiDB v5.1.5 is now available.
FortiManager
FortiManager v5.0.8 is now available.
FortiManager v5.2.1 is now available.
AscenLink
This vulnerability will be fixed in an upcoming patch of AscenLink.
FortiWLC
Please upgrade to FortiWLC version 8.5.4 or above. 
Please upgrade to FortiWLC version 8.6.1 or above. 
Workarounds
FortiGate customers may apply the IPS signature entitled "Bash.Function.Definitions.Remote.Code.Execution" to protect systems accessible through a FortiGate. This IPS signature is available in the 5.552 IPS update, which will be deployed via FDS on the afternoon of September 25th.
FortiGuard Labs has created an AV signature for this vulnerability and it was deployed using the Hot Update functionality. It is advised that all FortiGate customers ensure they are using AV DB 22.863 or later to help protect systems.
FortiGuard Web Security Service for FortiWeb web application firewall was updated overnight to address the Shellshock vulnerability. Updated package 0.00116 includes signature 090420001 to prevent attackers from executing arbitrary commands over HTTP via specially Bash crafted environments (CVE-2014-6271, CVE-2014-7169). FortiWeb inspects signature 090420001 in URLs, arguments, headers and cookies. The signature is part of the Known Exploits directory and is enabled by default.
Please be sure to back up your affected systems prior to update and read the respective release notes when performing any software upgrade. Firmware release dates for impacted products are pending and this advisory will be updated when available.