Cisco NX-OS: GNU Bash Environment Variable Command Injection Vulnerability (CVE-2014-6271)

On September 24, 2014, a vulnerability in the Bash shell was publicly announced. The vulnerability is related to the way in which shell functions are passed though environment variables. The vulnerability may allow an attacker to inject commands into a Bash shell, depending on how the shell is invoked. The Bash shell may be invoked by a number of processes including, but not limited to, telnet, SSH, DHCP, and scripts hosted on web servers.

2014年9月24日，Bash壳层中的一项漏洞被公之于众。该漏洞与通过环境变量传递shell函数的方式有关。根据shell的调用方式，此漏洞可能使攻击者能够向Bash壳层注入命令。Bash壳层可通过包括但不限于telnet、SSH、DHCP以及托管在Web服务器上的脚本等多种进程进行调用。