Bash Exploit Reported, First Round of Patches Incomplete

Reports of the first in-the-wild exploits targeting the Bash vulnerability have surfaced, as have complaints the first patches for the bug are incomplete.

The urgency to patch systems against the Bash zero-day vulnerability has been cranked to 10 after reports of an exploit in the wild have been made public by AusCERT, the Computer Emergency Response Team of Australia.

This seems to reflect a similar finding posted by a researcher who goes by the handle Yinette who found a malware sample that points to a bot being distributed by the exploit.

david_jacobyOther researchers, including David Jacoby of Kaspersky Lab, right and podcast below, and Robert Graham of Errata Security also cautioned that the Bash vulnerability is wormable and that one is inevitable. Graham, who built an Internet scanner called Masscan, published early results on a search for vulnerable systems that returned 3,000 vulnerable systems on port 80. He said embedded web servers and other services such as DHCP are in real danger.

“Even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems,” Graham wrote, adding that he intentionally limited the scope of the scan which included a ping-home command from vulnerable servers to his server.

“One key question is whether Mac OS X and iPhone DHCP service is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would ‘game over’ for large networks.”

The exploit reported by Yinette, meanwhile, has a zero detection rate on VirusTotal and has been given the identifier CVE-2014-6271. Patches were available yesterday from most of the Linux distributions, but already Red Hat has updated an advisory warning that the patch is incomplete and that specially crafted environment variables will execute arbitrary code. A new identifier, CVE-2014-7169, explains this issue in detail. Red Hat said that it will issue a new patch.

PODCAST: Digital Underground – David Jacoby on the Bash Exploit

Bash, short for the Bourne again shell, is an embedded command-line shell program present on most Linux, UNIX and Mac OS X systems. The problem presented by this vulnerability is that Bash is quietly accessed by various functions, which makes comprehensive patching a massive challenge. The flaw allows an attacker to remotely attach a malicious executable to a variable that is executed when Bash is invoked.

“It’s super simple and every version of Bash is vulnerable,” Josh Bressers, manager of Red Hat product security, told Threatpost yesterday. “It’s extremely serious, but you need very specific conditions in place where a remote user would be able to set that environment variable. Thankfully, it’s not common.”

Some of the more critical instances where the vulnerability may be exposed is on Apache servers for example, using mod_cgi or mod_cgid if either of those scripts is written in Bash. The vulnerability can also be used to bypass ForceCommand in sshd configs, Bressers said. ForceCommand is supposed to limit remote code execution, but exploiting this vulnerability sidesteps that protection. Some Git deployments over SSH would be affected here.

The bug was discovered by Stephane Chazelas, and it has already drawn comparisons to the Heartbleed OpenSSL bug. Like Heartbleed, the danger isn’t in vulnerable web servers that can be easily found and patched, but in any number of software packages on embedded systems and Internet-facing devices.

“Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time,” Graham wrote. “That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”

Suggested articles