Over the past few days, Apple, Red Hat, and others have pushed out patches to vulnerabilities in the GNU Bourne Again Shell (bash). The vulnerabilities previously allowed attackers to execute commands remotely on systems that use the command parser under some conditions—including Web servers that use certain configurations of Apache. However, some of the patches made changes that broke from the functionality of the GNU bash code, so now debate continues about how to “un-fork” the patches and better secure bash.

At the same time, the urgency of applying those patches has mounted as more attacks that exploit the weaknesses in bash’s security (dubbed “Shellshock”) have appeared. In addition to the threat first spotted the day after the vulnerability was made public, a number of new attacks have emerged. While some appear to simply be vulnerability scans, there are also new exploit attempts that carry malware or attempt to give the attacker direct remote control of the targeted system.

Stormy weather

On Monday, the SANS Technology Institute’s Internet Storm Center (ISC) elevated its INFOcon threat level—a measure of the danger level of current Internet “worms” and other threats based on Internet traffic—to Yellow. This level indicates an attack that poses a minor threat to the Internet’s infrastructure as a whole with potential significant impact on some systems. Johannes Ullrich, Dean of Research at SANS, noted that six exploits based on Shellshock have been recorded by the ISC’s servers and “honeypot” systems. (A honeypot is a virtual or physical computer system set up to entice attackers and record their actions.)

Three of the types of attacks recorded by the ISC were simply scans for the vulnerability. One ran checks using multiple Hypertext Transfer Protocol (HTTP) headers to test if the system would send back Internet Protocol “ping” messages using a bash exploit; another attempted to send back system parameters (the Unix name of the system, its operating system and version, and other details about the hardware). These may have been launched by “white hat” security firms conducting surveys of vulnerable systems.

The other three detected attacks, however, attempted to install or provide various means of remote control. Two attempted to install “bots” for remote control based on the Perl scripting language, while the third tried to open a Perl-based “reverse shell”—a remote-control connection that calls back to a specific Internet address (which, in the version Ullrich published, called back to a system with a Swedish IP address belonging to a virtual private network company).

Fixing the fixes

Since the original Shellshock vulnerability was reported on September 24 by the National Institute of Standards and Technology’s National Vulnerability Database, there have been five additional vulnerabilities reported in bash—four of which have been rated as highly severe. The latest (CVE-2014-6278, published this morning) is based on another underlying flaw in bash’s command parser, but it has not been fully disclosed, as it is still under analysis (so no severity rating has been assigned yet).

There are a number of ways to currently block the Shellshock attack and similar vulnerability exploits. Application firewall filters and network filters, for example, can be set to block requests that contain a signature for the attack —“() {“. And some operating systems distributions have implemented fixes that attempt to blunt the attack vector.

Red Hat Product Security researcher Florian Weimer developed an “upstream” patch that prevents network attacks against the bash shell by changing how function naming happens—a recommendation that was endorsed by a number of security experts and researchers. That fix has also been rolled into Debian’s latest patch, but it may break some software dependent on bash functions. Another patch developed by NetBSD’s Christos Zoulas—which has also been incorporated into FreeBSD—turns off bash’s ability to import script functions from environmental variables by default.

As Ars reported yesterday, Apple has released a fix for bash that addresses the Shellshock vulnerability. Apple’s patch takes a different route to accomplish essentially the same thing as Weimer’s patch: in addition to adjusting the command parser code in its new implementation of bash to detect the end of a function statement better (making it harder to sneak in additional commands that take advantage of it), the Apple fix also requires a prefix and suffix for those exported functions. Those prefixes and suffixes eliminate the possibility of a malicious command being passed over by a Web request or other network attack.

Meanwhile, debate continues on what additional changes to bash are required to fully secure it and repair the “forks” in code made by the various patches made by different operating system distributions. Chet Ramey, the maintainer of GNU bash, has continued to develop fixes to roll out through GNU’s source code distribution. Since Ramey is a volunteer, some have suggested setting up some sort of tip bucket to send him donations for his efforts to patch the code.

Listing image by SANS Institute