ShellShock vulnerability: latest news – September 30, 2014

Posted: September 30, 2014 in IT Security News
Tags: ,

ShellShockShellShock vulnerability, which was assigned an identifier CVE-2014-6271, was fixed pretty quickly. However, after the elimination of gaps, has been found several vulnerabilities, which get the ID CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187. Currently, there are updates that correct all the above gaps.

#1. Released the third update to fix the ShellShock vulnerability

Hotfix fixes several flaws discovered after removing the vulnerability CVE-2014-6271.

Red Hat engineer Florian Weimer released the third update to the shell Bash, what fixes a critical vulnerability ShellShock. This patch fixes several flaws discovered after the release of the first two updates.

Project Manager Chet Ramey adopted a Weimer’s patch and released it as an official update №27 for Bash 4.3 (bash43-027). The previous fix tried to eliminate the vulnerability ShellShock, but every time experts find more and more flaws.

Security engineer of the Google Michal Zalewski described Weimer’s update in its blog. He strongly recommends to all Linux users to install the latest updates.

In order to check, whether your version of bash is vulnerable, you must run in a terminal the following command:

foo = '() {echo not patched; } 'Bash -c foo

If on your PC installed a vulnerable version of Bash,the command will cause the message “not patched” into the terminal.

At the same time, cyber criminals continue to exploit ShellShock for the implementation of DDoS-attacks, remote uploading malware and backdoors, and data theft. The greatest number of cyber attacks using this vulnerability has been found in China, Brazil and Russia.

#2. Apple has released an update that fixes a ShellShock vulnerability in the OS X

Users will be able to apply the fix for OS X Lion, Mountain Lion and Mavericks.

Apple on Monday, September 29 has released an update to the operating system OS X. It fixes a critical vulnerability ShellShock in shell Bash, which is used in the operating system from Apple.

Breach ShellShock, present in the Bash shell for the past 20 years, allows an attacker to gain complete control over the victim’s computer. Using special commands, cybercriminal can create their own environment Bash variable and use it for malicious purposes. For this purpose use CGI-requests.

Experts believe that at your peril Bash can surpass even Heartbleed – vulnerability in OpenSSL, through which attackers can gain unauthorized access to data.

Since OS X is based on Unix, and it uses the Bash shell, Apple’s operating system is also affected. According to Intego, exploiting ShellShock possible if the user has activated the remote authentication. Previously, Apple has stated that the majority of OS X users are protected from this vulnerability.

How to Tell if Mac is Vulnerable to Shellshock

Apple’s update available for OS X Lion, Mountain Lion and Mavericks.

#3. The expert presented a list of systems that are vulnerable to ShellShock

You should update not only Linux-system, but also other products.

Vulnerability in the Bash shell, disclosed last week, forced people to update their Linux-system. However, the principal investigator of the SANS Technology Institute Johannes Ullrich warned of the “hidden places”, in which may also be present this gap.

First of all, the expert mentioned products what are not affected by the vulnerability called ShellShock. These include iOS, Android and other operating systems that uses Ash instead of Bash, as well as other small platforms using busybox. Many systems are vulnerable, however, a gap isn’t present therein by default (for example, OS X). Nevertheless, users still need to install the update.

Ulrich said that there are many web-based application using small cgi-bin scripts, which can be easily missed. In the case of Apache should pay attention to ExecCGI (not only in the httpd.conf, but also the configuration files of virtual hosts). If possible, ExecCGI better to remove.

“Check whether /bin/sh symlink to /bin/bash or, worse, a copy of /bin/bash. Just for testing purposes, try using an exploit to the other shells on the system (I have seen that for the convenience of administrators give to Bash other names), “- said Ulrich.

The expert noted that while in the Android the flaw is not present by default, the platform can be vulnerable. ShellShock may be present even in Windows, if the user has installed tools such as Cygwin.

Ulrich also advised to check the cgi-applications, which can be written in another language, but causes Bash-script using exec (), popen (), or other similar commands. The expert noted that the addition of spaces or other modifications to a exploit string  () { rendering it unusable.

Ulrich presented a list of potentially vulnerable machines, that during the upgrade, likely to have been overlooked

  • E-mail gateway
  • Web-content control servers
  • Proxies
  • Web-based application Firewalls
  • IPS-sensors and servers
  • Wireless controllers
  • VoIP-servers
  • Firewalls
  • Enterprise class routers and switches
  • Virtual machines (eg, OVA and OVF)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s