Vulnerabilities / Threats
9/29/2014
02:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Bash Bugs Surface

Time to patch again: Newly discovered flaws in Bash put Linux-based systems at risk.

If you patched your Linux-based systems before 1:11 a.m. Eastern Daylight Time yesterday for the major Shellshock vulnerability in the Bash function, your work is not done here yet. New bugs have been reported in Bash, so it's probably time to patch again, security experts warn.

Johannes Ullrich, director of the SANS Internet Storm Center, says the newly discovered Bash vulnerabilities have not been patched, as of this posting: CVE-2014-7186, - 7187, and -6277. The original Bash Shellshock bugs revealed on September 24 -- CVE-2014-6271 and CVE-7169 -- have been patched and updated in major distributions, according to Ullrich.

The latest bugs in Bash are not one and the same as Shellshock, however. "They are not exploitable via environment variables as far as I know, so the CGI vector that has been a big problem with Shellshock doesn't seem to apply," says Ullrich, who is currently performing more testing on the latest findings.

According to the Shellshocker.net website set up by Medical Informatics Engineering's health IT team in the wake of the Shellshock discovery, any patches applied prior to 1:11 AM EDT on Sunday, September 28, are vulnerable.

Shellshocker posted this message on its site:

Shellshock (CVE-2014-6271CVE-2014-7169CVE-2014-7186CVE-2014-7187CVE-2014-6277) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Sun Sep 28 2014: 1:11AM EST (See patch history), you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

Meanwhile, security experts recommend checking your software vendor's patch information against the CVEs. Internet expert Paul Vixie also recommends referring to the Shellshocker.net website to determine if the latest bugs have indeed been patched in your software.

Vixie, who says Shellshock is indicative of a future full of what he calls "hair on fire" software flaws in the tradition of Y2K, Conficker, and Heartbleed, gives this advice on how to handle Bash bugs:

get an inventory of the contents of every smart device your agency or your company owns or operates or depends upon, and enact a phase-out plan that replaces every non-upgradeable or un-auditable device with something you can actually control. Let normal apple/redhat/$vendor upgrade/patch take care of their products on your network in due course.

Vixie says the reason there are five different CVEs (as of now) is that researchers keep finding new ways to cheat the newest patch. Bottom line, he says, is that GNU Bash "ever evaluates the contents of an environment variable." That's what he calls a "misfeature" in the software code.

Shellshock's emergence follows a common pattern of major vulnerability finds. Oliver Tavakoli, CTO at Vectra Networks, tells us:

There will always be two periods during which you are vulnerable to such exploits. The first is the period before the vulnerability is reported and may have been exploited by a few attackers. The second is the span of time between when the vulnerability is publicly reported and before patches are installed. During this second period, every attacker imaginable will attempt to exploit the vulnerability. Predicting when new vulnerabilities will appear and what ways creative attackers will come up with to exploit them is generally a losing battle.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
9/30/2014 | 7:08:03 PM
Bash? What Bugs?
I don't use bash but, out of idle interest, I tried the tests that everyone is publishing, and discovered that the version of bash, shipped with Sun Solaris, doesn't have the GNU bug.

There's your answer, folks, install x86 or SPARC Solaris, and your problem goes away.

(Anyway, you've got no business making a shell, or other interpreted code internet-facing - that's just the kiss of death for your website)
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Hyatt Hit With Another Credit Card Breach
Dark Reading Staff 10/13/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.