After Fix, New Bash Flaws Found

Wednesday, October 1, 2014 @ 07:10 AM gHale

The original fix for the Bash command interpreter for Linux is not a total fix as another strong vulnerability ended up uncovered, researchers said.

Assigned the CVE-2014-6271 identifier, the 22-year-old Shellshock bug appeared fixed when the Linux community came up with an update for Bash. However, no sooner had the patch been delivered than Google security researcher Tavis Ormandy discovered an incomplete fix, and the new CVE-2014-7169 identifier ended up assigned.

‘Shellshock’ Details Unveiled
Patches Ready for Bash Hole
Nine Security Fixes for OpenSSL
Heartbleed Issues Still Exist
VMware Users Remain at Risk to Heartbleed

Another Bash modification ensued, but, as Florian Weimer, product security researcher for Red Hat, discovered, it generated additional problems, labeled CVE-2014-7186 and CVE-2014-7187. Weimer made changes to the code and published them in an unofficial patch, which has since turned into an upstream version.

On the security page for Red Hat, Huzaifa Sidhpurwala said “it’s possible that other issues will be found in the future and assigned a CVE designator even if they are blocked by the existing patches.”

This turned out to be true. Michal Zalewski, security researcher for Google discovered two new bugs, identified as CVE-2014-6277 and CVE-2014-6278, details about them not being publicly available at this time.

Zalewski said in a blog the first problem is remotely exploitable and it is possible to take advantage of in an easier way because ASLR ends up rarely used when compiling Bash. He adds “it’s an attempt to access uninitialized memory leading to reads from, and then subsequent writes to, a pointer that is fully within attacker’s control.”

On the other hand, about the second vulnerability Zalewski said it is the nastiest of them, having the same severity as the original Shellshock, as it allows running arbitrary code remotely in a very easy way.

This flaw (CVE-2014-6278) can end up leveraged against systems that have received the original Shellshock patch.

Zalewski recommends applying the patch offered by Florian Weimer, which modifies the encoding used by the shell to export functions in order to avoid clashing with variables and “depending only on an environment variable’s contents to determine whether or not to interpret it as a shell function.”

The two vulnerabilities are already under discussion with the Bash maintainers and the organizations delivering Linux OS.

Leave a Reply

You must be logged in to post a comment.