Wind River Security Alert for Wind River Linux 4.x/5.0.1.x/6.0.0.x (CVE-2014-6271 & CVE-2014-7169 & CVE-2014-7186 & CVE-2014-7187 & CVE-2014-6277 & CVE-2014-6278)
This alert confirms that the following Wind River Linux releases ARE SUSCEPTIBLE to the serious CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 bash Vulnerabilities. The vulnerabilities affect Wind River Linux 2.0.x/3.0.x/4.3.0.x/5.0.1.x/6.0.0.x
Wind River is committed to delivering secure, reliable products and offerings. As part of this commitment, the Wind River Linux Security Response Team is engaged in constant and active threat monitoring, rapid assessment and threat prioritization, response and proactive customer contact, and expedited remediation.
Wind River is closely monitoring the dynamic situation resulting from this issue and will provide additional information (and fixes as required) as the situation changes.
Vulnerability description:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Note: The 0001-bash-CVE-2014-6271-remote-code-execution-through-bas-*.patch has had the header modfied since original posting. There is no code change difference from original posting.
Note: The 0002-bash-CVE-2014-7169-and-an-Out-of-bounds-issue-*.patch's fix CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187
Note: The 0003-bash-CVE-2014-6277-and-CVE-2014-6278-mitigation-*.patch's mitigate the CVE-2014-6277 and CVE-2014-6278 by closing the attack vector
Note: The 0004-bash-CVE-issue-on-shellshock-*.patch revert previous fixes and apply the official patches from bash upstream, and also add other additional two fixes to complete the CVE-2014-6277 and CVE-2014-6278.
Apply the patch for Wind River Linux 4.3.0.x
========================
1) Update 4.3 RCPL 26
2) Apply the patch
$cd /product/wrlinux-4/layers/updates/RCPL-4.3-WRL.0026/wrll-userspace
$patch -p1 < 0001-bash-CVE-2014-6271-remote-code-execution-through-bas-4.3.patch
$patch -p1 < 0002-bash-CVE-2014-7169-and-an-Out-of-bounds-issue-4.3.patch
$patch -p1 < 0003-bash-CVE-2014-6277-and-CVE-2014-6278-mitigation-4.3.patch
$patch -p1 < 0004-bash-CVE-issue-on-shellshock-4.3.patch
Apply the patch for Wind River Linux 5.0.1.x
========================
1) Updating 5.0.1.19
2) configure project with .. --with-rcpl-version=0019
3) cd project/layers/oe-core
4) git am 0001-bash-CVE-2014-6271-remote-code-execution-through-bas-5.0.1.patch
5) git am 0002-bash-CVE-2014-7169-and-an-Out-of-bounds-issue-5.0.1.patch
6) git am 0003-bash-CVE-2014-6277-and-CVE-2014-6278-mitigation-5.0.1.patch
7) git am 0004-bash-CVE-issue-on-shellshock-5.0.1.patch
Apply the patch for Wind River Linux 6.0.0.x
========================
1) Updating 6.0.0.12
2) configure project with .. --with-rcpl-version=0012
3) cd project/layers/oe-core
4) git am 0001-bash-CVE-2014-6271-remote-code-execution-through-bas-6.0.patch
5) git am 0002-bash-CVE-2014-7169-and-an-Out-of-bounds-issue-6.0.patch
6) git am 0003-bash-CVE-2014-6277-and-CVE-2014-6278-mitigation-6.0.patch
7) git am 0004-bash-CVE-issue-on-shellshock-6.0.patch
The 2.0.x/3.0.x are End of Life (EOL), please contact Wind River Support at +1-800-872-4977 or your local Wind River representative for the Wind River Linux 2.0.x/3.0.x fix.
