Improved patch tackles new Shellshock attack vectors

Two new exploitable issues were found in the Bash shell and could lead to remote code execution, researcher warns

System administrators who spent last week making sure their computers are patched against Shellshock, a critical vulnerability in the Bash Unix command-line interpreter, will have to install a new patch that addresses additional attack vectors.

The Shellshock vulnerability was originally discovered by Akamai Technologies security researcher Stephane Chazelas and can be exploited in several ways to remotely execute code on systems like Linux and Mac OS X that use Bash as their default shell.

The fact that the bug has existed in Bash for many years and that Linux is used on a wide variety of devices from servers to industrial equipment and embedded electronics, means that the flaw's impact is potentially very large.

Shellshock was publicly disclosed Wednesday, and a patch was released at the same time to address it. It's being tracked as CVE-2014-6271 in the Common Vulnerabilities and Exposures database. But researchers quickly found ways to bypass it with a new attack method that was assigned a separate CVE-2014-7169 identifier.

A second patch was released for CVE-2014-7169, but things didn't stop there either because neither patch addressed the underlying risky behavior of parsing remotely originating strings. Related bugs kept popping up and while it's unclear whether they actually posed a security risk aside from leading to crashes, they started being tracked as CVE-2014-7186 and CVE-2014-7187.

This prompted Red Hat product security researcher Florian Weimer to develop an unofficial patch that takes a more durable approach, according to Google security engineer Michal Zalewski.

"Florian's fix effectively isolates the function parsing code from attacker-controlled strings in almost all the important use cases we can currently think of," said Zalewski in a post on his personal blog.

Weimer's patch was adopted upstream by the Bash project maintainer Chet Ramey as Bash-4.3 Official Patch 27 (bash43-027) on Saturday. The fix also addresses two remotely exploitable issues related to Shellshock that were discovered by Zalewski and haven't been publicly disclosed so far.

The issues found by Zalewski are being tracked as CVE-2014-6277 and CVE-2014-6278, the latter being the most severe one discovered so far according to the researcher.

"It's a 'put your commands here' type of a bug similar to the original report" that permits straightforward remote code execution on systems that were patched against the first bug, Zalewski said. "At this point, I very strongly recommend manually deploying Florian's patch unless your distro [Linux distribution] is already shipping it."

Users can check if they have the latest patch installed by typing "foo='() { echo not patched; }' bash -c foo" in the command line -- without the quotation marks. If the command response is "not patched" the system is vulnerable to the issues found by Zalewski that he plans to reveal in a few days. If the response is "command not found" the system is patched.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesAkamai TechnologiesGooglesecuritypatch managementRed HatExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?