CVE-2019-14868
📋 TL;DR
CVE-2019-14868 is a command injection vulnerability in ksh (KornShell) that allows attackers to bypass environment restrictions and execute arbitrary shell commands. This affects systems using ksh version 20120801 where attackers can control specific environment variables. Remote exploitation is possible if services allow unauthenticated users to set these variables.
💻 Affected Systems
- ksh (KornShell)
- AT&T AST ksh
- systems using ksh as default shell
📦 What is this software?
Ksh by Ksh Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the ksh process, potentially leading to full system compromise.
Likely Case
Local privilege escalation or command execution in multi-user environments where users can influence environment variables.
If Mitigated
Limited impact if proper input validation and environment sanitization are implemented.
🎯 Exploit Status
Exploitation requires ability to set specific environment variables (ENV, FPATH). Public disclosure includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in ksh versions after 20120801, specific patches vary by distribution
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14868
Restart Required: No
Instructions:
1. Update ksh package using system package manager
2. For RedHat/CentOS: yum update ksh
3. For Debian/Ubuntu: apt-get update && apt-get install ksh
4. For macOS: Update to Catalina or later, or install patched version
🔧 Temporary Workarounds
Restrict environment variable usage
linuxLimit ability to set ENV and FPATH environment variables in vulnerable services
export ENV=/dev/null
unset FPATH
Use alternative shell
linuxChange default shell to bash or other unaffected shell for vulnerable users/services
chsh -s /bin/bash username
🧯 If You Can't Patch
- Implement strict input validation for all services accepting environment variables
- Use mandatory access controls (SELinux/AppArmor) to limit ksh process capabilities
🔍 How to Verify
Check if Vulnerable:
Check ksh version: ksh --version 2>&1 | grep -i versionCheck Version:
ksh --version 2>&1 | head -1Verify Fix Applied:
Verify updated version is installed and test with known exploit vectors📡 Detection & Monitoring
Log Indicators:
- Unusual ksh process execution with unexpected environment variables
- Failed attempts to set ENV/FPATH variables
Network Indicators:
- Network services allowing environment variable injection
SIEM Query:
process.name:"ksh" AND (env.ENV:* OR env.FPATH:*)🔗 References
- http://seclists.org/fulldisclosure/2020/May/53
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14868
- https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
- https://lists.debian.org/debian-lts-announce/2020/07/msg00015.html
- https://support.apple.com/kb/HT211170
- http://seclists.org/fulldisclosure/2020/May/53
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14868
- https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
- https://lists.debian.org/debian-lts-announce/2020/07/msg00015.html
- https://support.apple.com/kb/HT211170
