The Shellshock Bash (Bourne Again SHell) vulnerability that was first disclosed on Sept. 24 now has not one, but multiple publicly available patches.
Initially, the Shellshock vulnerability was identified as single issue in CVE-2014-6271. While a patch was quickly available for CVE-2014-6271, that patch was incomplete and there were in fact other Shellshock vulnerabilities. One of the additional Shellshock vulnerabilities, identified as CVE-2014-7169, was not patched until late on Sept. 26.
“It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables,” Linux vendor Red Hat warned in an advisory. “An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands.”
Red Hat’s advisory added that the initial patch did not solve the issue of allowing unauthenticated access to certain applications and services, which could still be exploited by attackers.
Bash provides a command-line shell for Unix and Linux systems and is also used in Apple’s Mac OS X. The Shellshock vulnerabilities are particularly risky in that if attackers exploit the flaws, they can remotely inject and execute arbitrary code on a vulnerable system.
The Shellshock vulnerabilities are not just theoretical flaws either; they are being actively exploited by attackers. Security firm FireEye has reported what it called a “significant amount of overtly malicious traffic leveraging BASH.” Among the different Shellshock-related attacks that FireEye is now seeing are password stealing exploits as well as automated click fraud.
Shellshock has been compared with the Heartbleed flaw that struck systems earlier this year. With Heartbleed, the open-source OpenSSL cryptographic library was found to be at risk. In the aftermath of Heartbleed, some pundits pointed to weakness in the open-source model. Others, including the Linux Foundation, rallied to provide new support to OpenSSL and other open-source efforts to improve security.
The Bash program itself is also associated with the Free Software Foundation (FSF), which clearly sees open source as being able to deal with security incidents in an efficient manner.
“Free software cannot guarantee your security, and in certain situations may appear less secure on specific vectors than some proprietary programs,” the FSF said in a statement. “As was widely agreed in the aftermath of the OpenSSL ‘Heartbleed’ bug, the solution is not to trade one security bug for the very deep insecurity inherently created by proprietary software—the solution is to put energy and resources into auditing and improving free programs.”
While the Shellshock vulnerability was not fully patched until Sept. 26, Linux system administrators could have mitigated the vulnerability with another open-source technology known as SELinux (Security-Enhanced Linux). Originally an effort started by the National Security Agency (NSA) and landed in Linux kernels as far back as 2004, SELinux provides additional mandatory access controls for Linux.
According to Red Hat’s resident SELinux expert Dan Walsh, a properly configured system would limit the risk of Shellshock exploits.
“Now this is a horrible exploit but as you can see SELinux would probably have protected a lot/most of your valuable data on your machine,” Walsh blogged. “It would buy you time for you to patch your system.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.