Improved patch tackles new Shellshock attack vectors

Two new exploitable issues were found in the Bash shell and could lead to remote code execution, researcher warns

System administrators who spent last week making sure their computers are patched against Shellshock, a critical vulnerability in the Bash Unix command-line interpreter, will have to install a new patch that addresses additional attack vectors.

The Shellshock vulnerability was originally discovered by Akamai Technologies security researcher Stephane Chazelas and can be exploited in several ways to remotely execute code on systems like Linux and Mac OS X that use Bash as their default shell.

The fact that the bug has existed in Bash for many years and that Linux is used on a wide variety of devices from servers to industrial equipment and embedded electronics, means that the flaw's impact is potentially very large.

Shellshock was publicly disclosed Wednesday, and a patch was released at the same time to address it. It's being tracked as CVE-2014-6271 in the Common Vulnerabilities and Exposures database. But researchers quickly found ways to bypass it with a new attack method that was assigned a separate CVE-2014-7169 identifier.

A second patch was released for CVE-2014-7169, but things didn't stop there either because neither patch addressed the underlying risky behavior of parsing remotely originating strings. Related bugs kept popping up and while it's unclear whether they actually posed a security risk aside from leading to crashes, they started being tracked as CVE-2014-7186 and CVE-2014-7187.

This prompted Red Hat product security researcher Florian Weimer to develop an unofficial patch that takes a more durable approach, according to Google security engineer Michal Zalewski.

"Florian's fix effectively isolates the function parsing code from attacker-controlled strings in almost all the important use cases we can currently think of," said Zalewski in a post on his personal blog.

Weimer's patch was adopted upstream by the Bash project maintainer Chet Ramey as Bash-4.3 Official Patch 27 (bash43-027) on Saturday. The fix also addresses two remotely exploitable issues related to Shellshock that were discovered by Zalewski and haven't been publicly disclosed so far.

The issues found by Zalewski are being tracked as CVE-2014-6277 and CVE-2014-6278, the latter being the most severe one discovered so far according to the researcher.

"It's a 'put your commands here' type of a bug similar to the original report" that permits straightforward remote code execution on systems that were patched against the first bug, Zalewski said. "At this point, I very strongly recommend manually deploying Florian's patch unless your distro [Linux distribution] is already shipping it."

Users can check if they have the latest patch installed by typing "foo='() { echo not patched; }' bash -c foo" in the command line -- without the quotation marks. If the command response is "not patched" the system is vulnerable to the issues found by Zalewski that he plans to reveal in a few days. If the response is "command not found" the system is patched.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesAkamai TechnologiesGooglesecuritypatch managementRed HatExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?