Menu
Improved patch tackles new Shellshock attack vectors

Improved patch tackles new Shellshock attack vectors

Two new exploitable issues were found in the Bash shell and could lead to remote code execution, researcher warns

System administrators who spent last week making sure their computers are patched against Shellshock, a critical vulnerability in the Bash Unix command-line interpreter, will have to install a new patch that addresses additional attack vectors.

The Shellshock vulnerability was originally discovered by Akamai Technologies security researcher Stephane Chazelas and can be exploited in several ways to remotely execute code on systems like Linux and Mac OS X that use Bash as their default shell.

The fact that the bug has existed in Bash for many years and that Linux is used on a wide variety of devices from servers to industrial equipment and embedded electronics, means that the flaw's impact is potentially very large.

Shellshock was publicly disclosed Wednesday, and a patch was released at the same time to address it. It's being tracked as CVE-2014-6271 in the Common Vulnerabilities and Exposures database. But researchers quickly found ways to bypass it with a new attack method that was assigned a separate CVE-2014-7169 identifier.

A second patch was released for CVE-2014-7169, but things didn't stop there either because neither patch addressed the underlying risky behavior of parsing remotely originating strings. Related bugs kept popping up and while it's unclear whether they actually posed a security risk aside from leading to crashes, they started being tracked as CVE-2014-7186 and CVE-2014-7187.

This prompted Red Hat product security researcher Florian Weimer to develop an unofficial patch that takes a more durable approach, according to Google security engineer Michal Zalewski.

"Florian's fix effectively isolates the function parsing code from attacker-controlled strings in almost all the important use cases we can currently think of," said Zalewski in a post on his personal blog.

Weimer's patch was adopted upstream by the Bash project maintainer Chet Ramey as Bash-4.3 Official Patch 27 (bash43-027) on Saturday. The fix also addresses two remotely exploitable issues related to Shellshock that were discovered by Zalewski and haven't been publicly disclosed so far.

The issues found by Zalewski are being tracked as CVE-2014-6277 and CVE-2014-6278, the latter being the most severe one discovered so far according to the researcher.

"It's a 'put your commands here' type of a bug similar to the original report" that permits straightforward remote code execution on systems that were patched against the first bug, Zalewski said. "At this point, I very strongly recommend manually deploying Florian's patch unless your distro [Linux distribution] is already shipping it."

Users can check if they have the latest patch installed by typing "foo='() { echo not patched; }' bash -c foo" in the command line -- without the quotation marks. If the command response is "not patched" the system is vulnerable to the issues found by Zalewski that he plans to reveal in a few days. If the response is "command not found" the system is patched.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securitypatch managementGoogleRed HatpatchesExploits / vulnerabilitiesAkamai Technologies

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments