Improved patch tackles new Shellshock attack vectors

Two new exploitable issues were found in the Bash shell and could lead to remote code execution, researcher warns

System administrators who spent last week making sure their computers are patched against Shellshock, a critical vulnerability in the Bash Unix command-line interpreter, will have to install a new patch that addresses additional attack vectors.

The Shellshock vulnerability was originally discovered by Akamai Technologies security researcher Stephane Chazelas and can be exploited in several ways to remotely execute code on systems like Linux and Mac OS X that use Bash as their default shell.

The fact that the bug has existed in Bash for many years and that Linux is used on a wide variety of devices from servers to industrial equipment and embedded electronics, means that the flaw's impact is potentially very large.

Shellshock was publicly disclosed Wednesday, and a patch was released at the same time to address it. It's being tracked as CVE-2014-6271 in the Common Vulnerabilities and Exposures database. But researchers quickly found ways to bypass it with a new attack method that was assigned a separate CVE-2014-7169 identifier.

A second patch was released for CVE-2014-7169, but things didn't stop there either because neither patch addressed the underlying risky behavior of parsing remotely originating strings. Related bugs kept popping up and while it's unclear whether they actually posed a security risk aside from leading to crashes, they started being tracked as CVE-2014-7186 and CVE-2014-7187.

This prompted Red Hat product security researcher Florian Weimer to develop an unofficial patch that takes a more durable approach, according to Google security engineer Michal Zalewski.

"Florian's fix effectively isolates the function parsing code from attacker-controlled strings in almost all the important use cases we can currently think of," said Zalewski in a post on his personal blog.

Weimer's patch was adopted upstream by the Bash project maintainer Chet Ramey as Bash-4.3 Official Patch 27 (bash43-027) on Saturday. The fix also addresses two remotely exploitable issues related to Shellshock that were discovered by Zalewski and haven't been publicly disclosed so far.

The issues found by Zalewski are being tracked as CVE-2014-6277 and CVE-2014-6278, the latter being the most severe one discovered so far according to the researcher.

"It's a 'put your commands here' type of a bug similar to the original report" that permits straightforward remote code execution on systems that were patched against the first bug, Zalewski said. "At this point, I very strongly recommend manually deploying Florian's patch unless your distro [Linux distribution] is already shipping it."

Users can check if they have the latest patch installed by typing "foo='() { echo not patched; }' bash -c foo" in the command line -- without the quotation marks. If the command response is "not patched" the system is vulnerable to the issues found by Zalewski that he plans to reveal in a few days. If the response is "command not found" the system is patched.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags patchesAkamai TechnologiesGooglesecuritypatch managementRed HatExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?