New Bash Bugs Surface

  /     /     /  
Publicated : 22/11/2024   Category : security


New Bash Bugs Surface


Time to patch again--newly discovered flaws in Bash put Linux-based systems at risk.



If you patched your Linux-based systems before 1:11 a.m. Eastern Daylight Time yesterday for the major Shellshock vulnerability in the Bash function, your work is not done here yet. New bugs have been reported in Bash, so its probably time to patch again, security experts warn.
Johannes Ullrich, director of the SANS Internet Storm Center, says the newly discovered Bash vulnerabilities have not been patched, as of this posting: CVE-2014-7186, - 7187, and -6277. The original Bash Shellshock bugs revealed on September 24 -- CVE-2014-6271 and CVE-7169 -- have been patched and updated in major distributions, according to Ullrich.
The latest bugs in Bash are not one and the same as Shellshock, however. They are not exploitable via environment variables as far as I know, so the CGI vector that has been a big problem with Shellshock doesnt seem to apply, says Ullrich, who is currently performing more testing on the latest findings.
According to the
Shellshocker.net website
set up by Medical Informatics Engineerings health IT team in the wake of the Shellshock discovery, any patches applied prior to 1:11 AM EDT on Sunday, September 28, are vulnerable.
Shellshocker posted this message on its site:
Shellshock (
CVE-2014-6271

CVE-2014-7169

CVE-2014-7186

CVE-2014-7187

CVE-2014-6277
) is a vulnerability in GNUs 
bash
 shell that gives attackers access to run 
remote commands
 on a vulnerable system. If your system has not updated bash in since Sun Sep 28 2014: 1:11AM EST (See 
patch history
), youre
most definitely vulnerable
 and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to 
NVD
.
Meanwhile, security experts recommend checking your software vendors patch information against the CVEs. Internet expert Paul Vixie also recommends referring to the Shellshocker.net website to determine if the latest bugs have indeed been patched in your software.
Vixie, who says Shellshock is indicative of a future full of what he calls
hair on fire software flaws
in the tradition of Y2K, Conficker, and Heartbleed,
gives this advice
on how to handle Bash bugs:

get an inventory of the contents of every smart device your agency or your company owns or operates or depends upon, and enact a phase-out plan that replaces every non-upgradeable or un-auditable device with something you can actually control. Let normal apple/redhat/$vendor upgrade/patch take care of their products on your network in due course.
Vixie says the reason there are five different CVEs (as of now) is that researchers keep finding new ways to cheat the newest patch. Bottom line, he says, is that GNU Bash ever evaluates the contents of an environment variable. Thats what he calls a misfeature in the software code.
Shellshocks emergence follows a common pattern of major vulnerability finds. Oliver Tavakoli, CTO at Vectra Networks, tells us:
There will always be two periods during which you are vulnerable to such exploits. The first is the period before the vulnerability is reported and may have been exploited by a few attackers. The second is the span of time between when the vulnerability is publicly reported and before patches are installed. During this second period, every attacker imaginable will attempt to exploit the vulnerability. Predicting when new vulnerabilities will appear and what ways creative attackers will come up with to exploit them is generally a losing battle.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Bash Bugs Surface