Vendors push new Bash patches as more flaws emerge

Vendors are hurriedly implementing a new patch released over the weekend for the 'Shellshock' Bash vulnerability, but researchers have since found more Bash flaws that will likely need prompt remediation.

IT professionals who spent last week applying patches for the 'Shellshock' vulnerability in the Bourne-again shell (Bash) may have assumed they could move on from the bug that quickly engulfed the security community. Instead, a new patch was released over the weekend after researchers discovered problems that were overlooked in the original, leaving them to update systems all over again.

Disclosed last Wednesday, the Bash vulnerability, CVE-2014-6271, arises because the shell is willing to handle specially crafted environment variables, specifically limited functions with additional malicious code attached to the end. The bug was scored as a 10.0 based on the Common Vulnerability Scoring System (CVSS), affects millions of mostly Linux-based systems around the world and has even drawn comparisons with the infamous Heartbleed OpenSSL vulnerability.

Bash's project managers quickly released a patch for the flaw after it was announced; vendors such as Red Hat Inc. updated their products shortly thereafter, but in the following days, researchers found potential ways to sidestep the original patch. Tavis Ormandy, a Google security researcher, was one of the first to call attention to the flawed patch on Twitter.

Ormandy's finding led to the newly identified issue, noted in CVE-2014-7169, and the subsequent release of a second patch, but neither patch fully remediated the shell's exposed parsing capabilities. After discussing some of those problems on the OSS-SEC mailing list, researchers late last week identified two more unspecified vulnerabilities in Bash being tracked as CVE-2014-7186 and CVE-2014-7187, though the severity of those bugs is unclear.

Michał Zalewski, also a security researcher with Google, said on his blog that he found yet another pair of Bash vulnerabilities over the weekend: CVE-2014-6277 and CVE-2014-6278. While  CVE-2014-6277 is a parsing issue that can most likely be exploited remotely, according to Zalewski, he deemed CVE-2014-6278 to be perhaps the "most severe issue" discovered since Shellshock was announced.

CVE-2014-6278 essentially permits "very simple and straightforward remote code execution on the systems that are patched against the first bug," said Zalewski on his blog, noting that he plans to release more details on the vulnerabilities in the coming days. "It's a 'Put your commands here,' type of a bug, similar to the original report."

As a result of Zalewski's findings, Florian Weimer, a product security researcher with Raleigh, N.C.-based Red Hat Inc., released an unofficial Bash patch that purportedly addresses all of the Bash security flaws that have been reported in the last week. Weimer's patch was subsequently adopted by Project Manager Chet Ramey as part of the Bash 4.3 official patch released Saturday.

That new fix comes as some of the largest companies in the tech industry are already struggling to patch Bash in various products. A security alert from Oracle Corp. confirmed that dozens of the vendor's products are affected both by the original Shellshock bug, as well as the more recent CVE-2014-7169, but it failed to clarify when customers may expect a permanent fix.

Cisco provided software updates to customers running products with vulnerable versions of Bash, but subsequent findings make it unclear whether those fixes will ultimately prove to be temporary.

"At this point, I very strongly recommend manually deploying Florian's patch unless your distro is already shipping it," said Zalewski.

Next Steps

Despite being announced just last week, attackers have already been found exploiting the Bash vulnerability.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.