GNU Bash Unsupported Characters Heap-Based Buffer Overflow Vulnerability [CVE-2012-6711]
CVE Number – CVE-2012-6711
A vulnerability in the lib/sh/strtrans.c:anicstr function of GNU Bash could allow an authenticated, local attacker to execute code on a targeted system.The vulnerability is due buffer errors within the lib/sh/strtrans.c:anicstr function of the affected software. An attacker could exploit this vulnerability by providing print data through the echo built-in function. A successful exploit could allow the attacker to execute code on the targeted system.GNU Bash has confirmed this vulnerability and released a software patch.
Analysis
- An attacker would need to authenticate locally and be able to run Bash with certain options. These requirements could reduce the likelihood of a successful exploit.
Safeguards
- Administrators are advised to apply the appropriate updates.Administrators are advised to allow only trusted users to access local systems.Administrators are advised to monitor critical systems.
Vendor Announcements
- GNU Bash has posted a security note at the following link: Bug 1721071
Fixed Software
- GNU Bash has issued a patch at the following link: commit bash-20120224 snapshot
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.