Vulnerabilities have not been publicly disclosed, yet

Sep 29, 2014 14:08 GMT  ·  By

After the public disclosure of the 22-year-old bug in the Bash command interpreter for Linux, researchers have rushed with an initial patch that appears not to protect against Shellshock since another vulnerability has been uncovered, equally powerful as the original one.

Assigned the CVE-2014-6271 identifier, Shellshock seemed to have been fixed when the Linux community came up with an update for Bash. However, no sooner had the patch been delivered than Google security researcher Tavis Ormandy discovered that the fix was incomplete, and the CVE-2014-7169 identifier was assigned.

Another Bash modification ensued, but, as Florian Weimer, product security researcher for Red Hat, discovered, it generated additional problems, labeled CVE-2014-7186 and CVE-2014-7187. Weimer made new changes to the code and published them in an unofficial patch, which has since turned into an upstream version.

On the security page for Red Hat, Huzaifa Sidhpurwala said that “it’s possible that other issues will be found in the future and assigned a CVE designator even if they are blocked by the existing patches.”

Shellchock-related Bash vulnerabilities five and six uncovered

This turned out to be true. Michal Zalewski, security researcher for Google discovered two new bugs, identified as CVE-2014-6277 and CVE-2014-6278, details about them not being publicly available at this time.

Zalewski says that the first problem could be exploited remotely and it can be taken advantage of in an easier way because ASLR is very rarely used when compiling Bash. He adds that “it's an attempt to access uninitialized memory leading to reads from, and then subsequent writes to, a pointer that is fully within attacker's control.”

Patching is still strongly recommended

On the other hand, about the second vulnerability he says that it is the nastiest of them, having the same severity as the original Shellshock, as it allows running arbitrary code remotely in a very easy way.

This flaw (CVE-2014-6278) can be leveraged against systems that have received the original Shellshock patch.

Zalewski strongly recommends applying the patch offered by Florian Weimer, which modifies the encoding used by the shell to export functions in order to avoid clashing with variables and “depending only on an environment variable's contents to determine whether or not to interpret it as a shell function.”

"Florian's fix effectively isolates the function parsing code from attacker-controlled strings in almost all the important use cases we can currently think of," writes the researcher.

The two vulnerabilities have already been discussed with the Bash maintainers and the organizations delivering Linux OS.

At the moment, there are no details available and a new fix (if necessary) has not been issued. If a new patch is provided, hopefully it will plug the vulnerability chain generated by Shellshock for good.