A software bug in the shell “Bash” allows remote attackers to inject arbitrary code. This bug is also referred to as “Shellshock”.
Greenbone OS is affected by this vulnerability regarding the DHCP client functionality. A successful attack is possible if the attacker can compromise the DHCP server of the internal network or can inject his own DHCP service into the internal network. The attacker will gain root privileges.
Greenbone OS is only affected in this scenario in case DHCP is configured for Greenbone OS. When using a static IP address, this attack vector does not work.
Greenbone OS 2.2.0-1 up to 2.2.0-31 if DHCP is enabled.
Greenbone OS 3.0.1 up to 3.0.25 if DHCP is enabled.
Upgrade at least to Greenbone OS 2.2.0-32 or Greenbone OS 3.0.26.
Temporary workaround: disable DHCP and use static IP address instead.
2014-09-24: general Bash problem report received and verified.
2014-09-25: attack vector analysis for Greenbone OS and solution test.
2014-09-26: solution published as new Patch Level release for GOS 2.2.0 and GOS 3.0.
Download this advisory as CVRF