If you patched your Linux-based systems before 1:11 a.m. Eastern Daylight Time yesterday for the major Shellshock vulnerability in the Bash function, your work is not done here yet. New bugs have been reported in Bash, so it's probably time to patch again, security experts warn.
Johannes Ullrich, director of the SANS Internet Storm Center, says the newly discovered Bash vulnerabilities have not been patched, as of this posting: CVE-2014-7186, - 7187, and -6277. The original Bash Shellshock bugs revealed on September 24 -- CVE-2014-6271 and CVE-7169 -- have been patched and updated in major distributions, according to Ullrich.
The latest bugs in Bash are not one and the same as Shellshock, however. "They are not exploitable via environment variables as far as I know, so the CGI vector that has been a big problem with Shellshock doesn't seem to apply," says Ullrich, who is currently performing more testing on the latest findings.
According to the Shellshocker.net website set up by Medical Informatics Engineering's health IT team in the wake of the Shellshock discovery, any patches applied prior to 1:11 AM EDT on Sunday, September 28, are vulnerable.
Shellshocker posted this message on its site:
Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Sun Sep 28 2014: 1:11AM EST (See patch history), you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.
Meanwhile, security experts recommend checking your software vendor's patch information against the CVEs. Internet expert Paul Vixie also recommends referring to the Shellshocker.net website to determine if the latest bugs have indeed been patched in your software.
Vixie, who says Shellshock is indicative of a future full of what he calls "hair on fire" software flaws in the tradition of Y2K, Conficker, and Heartbleed, gives this advice on how to handle Bash bugs:
…get an inventory of the contents of every smart device your agency or your company owns or operates or depends upon, and enact a phase-out plan that replaces every non-upgradeable or un-auditable device with something you can actually control. Let normal apple/redhat/$vendor upgrade/patch take care of their products on your network in due course.
Vixie says the reason there are five different CVEs (as of now) is that researchers keep finding new ways to cheat the newest patch. Bottom line, he says, is that GNU Bash "ever evaluates the contents of an environment variable." That's what he calls a "misfeature" in the software code.
Shellshock's emergence follows a common pattern of major vulnerability finds. Oliver Tavakoli, CTO at Vectra Networks, tells us:
There will always be two periods during which you are vulnerable to such exploits. The first is the period before the vulnerability is reported and may have been exploited by a few attackers. The second is the span of time between when the vulnerability is publicly reported and before patches are installed. During this second period, every attacker imaginable will attempt to exploit the vulnerability. Predicting when new vulnerabilities will appear and what ways creative attackers will come up with to exploit them is generally a losing battle.