Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/29/2014
02:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Bash Bugs Surface

Time to patch again: Newly discovered flaws in Bash put Linux-based systems at risk.

If you patched your Linux-based systems before 1:11 a.m. Eastern Daylight Time yesterday for the major Shellshock vulnerability in the Bash function, your work is not done here yet. New bugs have been reported in Bash, so it's probably time to patch again, security experts warn.

Johannes Ullrich, director of the SANS Internet Storm Center, says the newly discovered Bash vulnerabilities have not been patched, as of this posting: CVE-2014-7186, - 7187, and -6277. The original Bash Shellshock bugs revealed on September 24 -- CVE-2014-6271 and CVE-7169 -- have been patched and updated in major distributions, according to Ullrich.

The latest bugs in Bash are not one and the same as Shellshock, however. "They are not exploitable via environment variables as far as I know, so the CGI vector that has been a big problem with Shellshock doesn't seem to apply," says Ullrich, who is currently performing more testing on the latest findings.

According to the Shellshocker.net website set up by Medical Informatics Engineering's health IT team in the wake of the Shellshock discovery, any patches applied prior to 1:11 AM EDT on Sunday, September 28, are vulnerable.

Shellshocker posted this message on its site:

Shellshock (CVE-2014-6271CVE-2014-7169CVE-2014-7186CVE-2014-7187CVE-2014-6277) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Sun Sep 28 2014: 1:11AM EST (See patch history), you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

Meanwhile, security experts recommend checking your software vendor's patch information against the CVEs. Internet expert Paul Vixie also recommends referring to the Shellshocker.net website to determine if the latest bugs have indeed been patched in your software.

Vixie, who says Shellshock is indicative of a future full of what he calls "hair on fire" software flaws in the tradition of Y2K, Conficker, and Heartbleed, gives this advice on how to handle Bash bugs:

get an inventory of the contents of every smart device your agency or your company owns or operates or depends upon, and enact a phase-out plan that replaces every non-upgradeable or un-auditable device with something you can actually control. Let normal apple/redhat/$vendor upgrade/patch take care of their products on your network in due course.

Vixie says the reason there are five different CVEs (as of now) is that researchers keep finding new ways to cheat the newest patch. Bottom line, he says, is that GNU Bash "ever evaluates the contents of an environment variable." That's what he calls a "misfeature" in the software code.

Shellshock's emergence follows a common pattern of major vulnerability finds. Oliver Tavakoli, CTO at Vectra Networks, tells us:

There will always be two periods during which you are vulnerable to such exploits. The first is the period before the vulnerability is reported and may have been exploited by a few attackers. The second is the span of time between when the vulnerability is publicly reported and before patches are installed. During this second period, every attacker imaginable will attempt to exploit the vulnerability. Predicting when new vulnerabilities will appear and what ways creative attackers will come up with to exploit them is generally a losing battle.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
9/30/2014 | 7:08:03 PM
Bash? What Bugs?
I don't use bash but, out of idle interest, I tried the tests that everyone is publishing, and discovered that the version of bash, shipped with Sun Solaris, doesn't have the GNU bug.

There's your answer, folks, install x86 or SPARC Solaris, and your problem goes away.

(Anyway, you've got no business making a shell, or other interpreted code internet-facing - that's just the kiss of death for your website)
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13817
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
CVE-2020-13818
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
CVE-2020-6640
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
CVE-2020-9292
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
CVE-2019-16150
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...