Vulnerabilities / Threats

9/29/2014
02:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Bash Bugs Surface

Time to patch again: Newly discovered flaws in Bash put Linux-based systems at risk.

If you patched your Linux-based systems before 1:11 a.m. Eastern Daylight Time yesterday for the major Shellshock vulnerability in the Bash function, your work is not done here yet. New bugs have been reported in Bash, so it's probably time to patch again, security experts warn.

Johannes Ullrich, director of the SANS Internet Storm Center, says the newly discovered Bash vulnerabilities have not been patched, as of this posting: CVE-2014-7186, - 7187, and -6277. The original Bash Shellshock bugs revealed on September 24 -- CVE-2014-6271 and CVE-7169 -- have been patched and updated in major distributions, according to Ullrich.

The latest bugs in Bash are not one and the same as Shellshock, however. "They are not exploitable via environment variables as far as I know, so the CGI vector that has been a big problem with Shellshock doesn't seem to apply," says Ullrich, who is currently performing more testing on the latest findings.

According to the Shellshocker.net website set up by Medical Informatics Engineering's health IT team in the wake of the Shellshock discovery, any patches applied prior to 1:11 AM EDT on Sunday, September 28, are vulnerable.

Shellshocker posted this message on its site:

Shellshock (CVE-2014-6271CVE-2014-7169CVE-2014-7186CVE-2014-7187CVE-2014-6277) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Sun Sep 28 2014: 1:11AM EST (See patch history), you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

Meanwhile, security experts recommend checking your software vendor's patch information against the CVEs. Internet expert Paul Vixie also recommends referring to the Shellshocker.net website to determine if the latest bugs have indeed been patched in your software.

Vixie, who says Shellshock is indicative of a future full of what he calls "hair on fire" software flaws in the tradition of Y2K, Conficker, and Heartbleed, gives this advice on how to handle Bash bugs:

get an inventory of the contents of every smart device your agency or your company owns or operates or depends upon, and enact a phase-out plan that replaces every non-upgradeable or un-auditable device with something you can actually control. Let normal apple/redhat/$vendor upgrade/patch take care of their products on your network in due course.

Vixie says the reason there are five different CVEs (as of now) is that researchers keep finding new ways to cheat the newest patch. Bottom line, he says, is that GNU Bash "ever evaluates the contents of an environment variable." That's what he calls a "misfeature" in the software code.

Shellshock's emergence follows a common pattern of major vulnerability finds. Oliver Tavakoli, CTO at Vectra Networks, tells us:

There will always be two periods during which you are vulnerable to such exploits. The first is the period before the vulnerability is reported and may have been exploited by a few attackers. The second is the span of time between when the vulnerability is publicly reported and before patches are installed. During this second period, every attacker imaginable will attempt to exploit the vulnerability. Predicting when new vulnerabilities will appear and what ways creative attackers will come up with to exploit them is generally a losing battle.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
9/30/2014 | 7:08:03 PM
Bash? What Bugs?
I don't use bash but, out of idle interest, I tried the tests that everyone is publishing, and discovered that the version of bash, shipped with Sun Solaris, doesn't have the GNU bug.

There's your answer, folks, install x86 or SPARC Solaris, and your problem goes away.

(Anyway, you've got no business making a shell, or other interpreted code internet-facing - that's just the kiss of death for your website)
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...
CVE-2018-16515
PUBLISHED: 2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2018-16794
PUBLISHED: 2018-09-18
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.