Second Bash fix leaves gaps

By admin On Sep 27, 2014

Spread the love

The second patch for the security vulnerability in Bash, which allows attackers to execute code on a system, proves to be insufficient, just like the first patch. It is sometimes still possible to run code on a system.

The new vulnerability, discovered by Japanese security researcher Norihiro Tanaka, is more difficult to exploit than the old vulnerability, which was revealed on Wednesday. In doing so, an attacker could add their own code to an environment variable, which would then be executed as soon as the code called a Bash shell.

In the night from Thursday to Friday, a second patch for the security problem was released, but that also appears to be circumvented in certain cases. An attacker can turn a normal Linux command, such as ‘cat’ to read files, into an environment variable and hide code in it. Then the code hidden in the environment variable is executed “more often than not,” Tanaka writes.

According to security researcher David Wheeler, Thursday night’s patch is worthy, but the underlying problem lies deeper. According to him, Bash should stop processing environment variables automatically. If that doesn’t happen, the problem cannot be solved completely, he thinks. “I’m not confident that the current patches will hold anyone back,” said Wheeler, who notes that he has taken down websites and is afraid to shop online for fear of the problem.

The problem is that Bash would no longer be backwards compatible if environment variables are no longer automatically parsed, meaning that much older software will no longer work. At the same time, that won’t completely solve the problem. The problem is that users often patch devices such as routers, NAS systems and even wireless webcams with a built-in web server less quickly than a desktop operating system, and can therefore be vulnerable for years to come.

The latter is one of the reasons that security researcher Robert Graham calls the bug ‘as big as Heartbleed’. That was a security issue in OpenSSL that allowed reading part of the contents of a server’s internal memory.