There have been a few developments since the vulnerability alert we sent on September 25, 2014 and we wanted to keep you updated.
New versions of the vulnerabilities have been discovered that will impact patches that you may have already done. Some of the early patches released for Bash and the impacted operating systems were incomplete. If you started applying patches before Saturday, September 27th, you will need to apply new patches. Please read below for more details.
What has changed since the last alert notification?
There have been several reports of CVE-2014-6271 being exploited through worms, and proof of concept code became available for exploiting DHCP. Four new CVEs have been created related to the Bash vulnerabilities.
The first two new vulnerabilities are memory corruption flaws in the Bash parser being tracked as CVE-2014-7186 and CVE-2014-7187. We don’t expect to see exploit code immediately and it wouldn’t be applicable without specific targeting.
The next two are more severe and permit remote code execution:
- CVE-2014-6277 – Permits remote code execution and requires a high level of expertise. It has a CVSS score of 10.0
- CVE-2014-6278 – More severe as it allows remote code execution and doesn’t require a high level of expertise. It has a CVSS score of 10.0
These two vulnerabilities have been resolved in upstream patches Ubuntu/RHEL/Debian.
We strongly recommend applying the patches that were released on September 27th in order to remediate these new vulnerabilities.
Shellshock Bug affects most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is based around Unix). Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271) could allow an attacker to gain control over a targeted computer if exploited successfully.
The most used attack vectors are CGI, but DHCP and SIP have been proven vulnerable as well and even Open VPN has also been reported as vulnerable
The fact that core services and web applications are vulnerable make this bug extremely dangerous for both internet facing systems as well as LAN ones.
The impact on systems and applications, SCADA systems and Internet of Things is not known as of yet, and patches are being released as we speak.
The main issue is that since the far reaching impact is not known, a patch today might be not sufficient tomorrow.
Patching “bash” is the only way to mitigate the risk, and luckily it does not require a restart.
There are scripts and tools available for scanning and detecting vulnerable systems
A good patching management , testing and awareness of this security threat is the way to go until the dust settles and vendors release definitive patches.