SHELLSHOCK UPDATE: Additional Bash Vulnerabilities Identified

There has been a lot of confusion about CVE’s and ShellShock. Questions have come up like why so many different CVE’s? Which one should I implement? So we decided to put together a little information. Fist of all, to understand the bugs you first need to understand what a CVE is. A CVE (Common Vulnerability and Exposure) is a dictionary of public known information for identifying security vulnerabilities. CVE’s are a common identifier that allows technology vendors to have a baseline index point for evaluating their tools and services.

The following CVE’s that have been in the media and affect GNU Bash through version 4.3. The original bug allowed functions to be created and executed through unfiltered user input. This bug allows remote attackers to execute arbitrary code in a large assortment of software and/or allows local attackers to gain lateral or escalated privileges. This is the original “ShellShock” bash bug vulnerability that was found.

Read the original Shellshock blog article

CVE-2014-6271 – This was identified as the original “ShellShock” vulnerability. This was the first notification of this bug. The patches applied for this CVE were inadequate to defend against this vulnerability.

CVE-2014-7169 – This was assigned to address the inadequate patch supplied by CVE-2014-6271. The syntax was slightly modified off of the original exploit which allowed a bypass of first patch (CVE-2014-6271).

CVE-2014-7186 and CVE-2014-7187 – These bugs were memory corruption vulnerabilities found in the bash parser.  These bugs triggered an out of bound read access and simply resulted in a bash crash. These currently do not have any known attack vectors. A patch was supplied by florien to mitigate these vulnerability.

CVE-2014-6277 – The revised code did not fix the underlining issue of these bugs. Because of this it did not stop bash from parsing code seen in potentially controlled functions in environments passed down to a child process. This vulnerability allowed an attacker to control uninitialized memory pointer to exploit a system under certain bash configuration options that are disabled by most linux distributions, which makes exploitable by a malicious attacker.

CVE-2014-6278 – This exploit allows easy remote and local command execution like CVE-2014-6271. This attack uses nested statements which causes the parser to fail and continue executing attack code syntax. Florian Weimer supplied patches that prevents exploitation of these vulnerabilities by defining function specific names utilized by the parser. These are currently being deployed to upstream repositories for patching by most, if not all linux distributions.

There have been several scanners and scripts produced that can assist in evaluating you environment. It is always recommended to always scan your environment after any change, but particularly after a bug like this is publicly released. We will continue to monitor the situation and provide additional details as they arise.