Improved patch tackles new Shellshock attack vectors

Improved patch tackles new Shellshock attack vectors

Two new exploitable issues were found in the Bash shell and could lead to remote code execution, researcher warns

System administrators who spent last week making sure their computers are patched against Shellshock, a critical vulnerability in the Bash Unix command-line interpreter, will have to install a new patch that addresses additional attack vectors.

The Shellshock vulnerability was originally discovered by Akamai Technologies security researcher Stephane Chazelas and can be exploited in several ways to remotely execute code on systems like Linux and Mac OS X that use Bash as their default shell.

The fact that the bug has existed in Bash for many years and that Linux is used on a wide variety of devices from servers to industrial equipment and embedded electronics, means that the flaw's impact is potentially very large.

Shellshock was publicly disclosed Wednesday, and a patch was released at the same time to address it. It's being tracked as CVE-2014-6271 in the Common Vulnerabilities and Exposures database. But researchers quickly found ways to bypass it with a new attack method that was assigned a separate CVE-2014-7169 identifier.

A second patch was released for CVE-2014-7169, but things didn't stop there either because neither patch addressed the underlying risky behavior of parsing remotely originating strings. Related bugs kept popping up and while it's unclear whether they actually posed a security risk aside from leading to crashes, they started being tracked as CVE-2014-7186 and CVE-2014-7187.

This prompted Red Hat product security researcher Florian Weimer to develop an unofficial patch that takes a more durable approach, according to Google security engineer Michal Zalewski.

"Florian's fix effectively isolates the function parsing code from attacker-controlled strings in almost all the important use cases we can currently think of," said Zalewski in a post on his personal blog.

Weimer's patch was adopted upstream by the Bash project maintainer Chet Ramey as Bash-4.3 Official Patch 27 (bash43-027) on Saturday. The fix also addresses two remotely exploitable issues related to Shellshock that were discovered by Zalewski and haven't been publicly disclosed so far.

The issues found by Zalewski are being tracked as CVE-2014-6277 and CVE-2014-6278, the latter being the most severe one discovered so far according to the researcher.

"It's a 'put your commands here' type of a bug similar to the original report" that permits straightforward remote code execution on systems that were patched against the first bug, Zalewski said. "At this point, I very strongly recommend manually deploying Florian's patch unless your distro [Linux distribution] is already shipping it."

Users can check if they have the latest patch installed by typing "foo='() { echo not patched; }' bash -c foo" in the command line -- without the quotation marks. If the command response is "not patched" the system is vulnerable to the issues found by Zalewski that he plans to reveal in a few days. If the response is "command not found" the system is patched.

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Tags patchesAkamai TechnologiesGooglesecuritypatch managementRed HatExploits / vulnerabilities is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments