New “Shellshock” patch rushed out to resolve gaps in first fix [Updated]
Update, 9/26 11:00 PM ET: The most recent patches issued for the “Shellshock” bug have apparently still left avenues of attack, based on the analysis of several open source developers. See the latest report for further information.
After the discovery that a patch designed to repair the “Shellshock” vulnerability in the GNU Bourne Again Shell (bash) still allowed for an attacker to execute commands on a remote system, Red Hat, Ubuntu, and other Linux distribution providers have pushed out a second fix to the vulnerability. At the same time, security researchers and service providers have detected a surge in scans for systems with the vulnerability, as would-be attackers seek to take advantage of the bug.
“Shellshock” has been compared to the Heartbleed bug discovered in the OpenSSL cryptography library in April because of its potential severity and its widespread nature. Like Heartbleed, the Shellshock vulnerabilities were introduced by errors in coding years ago—errors made by an unpaid volunteer writing code that would end up in millions of computer systems.
Chet Ramey, an IT architect at Case Western Reserve University and maintainer of the code for GNU bash, told The New York Times that he believes the problems in bash’s code were introduced into the code in 1992—long before bash found itself into much of the Internet’s server infrastructure. And because there are so many systems that use bash that may be running unattended or are seldom maintained, Shellshock could remain a concern for a very, very long time.
The initial fixes to bash were rushed out by Linux distribution communities on Wednesday, two weeks after Stephane Schazelas reported the vulnerability to Ramey. But by Wednesday afternoon, another researcher had determined the fix wasn’t complete. Tavis Ormandy, an information security engineer at Google, posted to Twitter, “The bash patch seems incomplete to me, function parsing is still brittle.” He included a sample bash command that showed the patched code could still be exploited. His message was passed on to the Open Source Software Security (oss-sec) mailing list and soon spawned the posting of another Common Vulnerabilities and Exposure (CVE) posting by NIST—rating the vulnerability as a “10”, the highest level of concern.
Ramey wrote a new patch Wednesday night, but it still required testing and packaging. As a result, the first complete patches weren’t ready to be pulled down for various Linux distributions until late Thursday. Red Hat posted a patch today at 12:47 UTC.