Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Tech Firms Begin Rolling Out Patches For ‘Shellshock’ Bug

Security Information on CVE-2014-6271

Security Information on CVE-2014-6271

Several organizations that use the GNU Bourne Again Shell (Bash) in their products have been hard at work producing software updates to address the recently discovered vulnerability dubbed “Shellshock” or “Bash Bug.”

GNU Bash is a command-line shell used in Linux, Unix and Mac OS X operating systems which is installed not only on personal computers and servers, but also installed on other connected “Internet of Things” (IoT) devices. The vulnerability (CVE-2014-6271) affects version 1.14 and later of the shell and can be exploited to execute arbitrary commands and take over affected machines.

Red Hat published a security update shortly after the existence of Shellshock came to light. However, it soon became clear that the fix had been incomplete since, according to Red Hat, “Bash still allowed certain characters to be injected into other environments via specially crafted environment variables.” This second issue has been assigned CVE-2014-7169.

On Friday, both Red Hat and Fedora released patched versions of Bash to address this vulnerability. 

Over the weekend, Cisco confirmed that some of its products are affected by the vulnerability. The list includes network application, service, and acceleration products; network and content security devices; enterprise and service provider routing and switching solutions; unified computing; voice and unified communications devices; and video, streaming, telepresence and transcoding devices.

Several solutions shipped with or ones that leverage affected versions of Bash are still being investigated, Cisco said in its advisory. The company has released software updates to address the vulnerability.

Oracle has also started patching its products against CVE-2014-7169. The company has identified more than 40 solutions that are vulnerable, but so far it has produced software updates for only six of them: Oracle Database Appliance, Oracle Exadata Storage Server Software, Oracle Exalogic, Oracle Exalytics, Oracle Linux, and the Solaris operating system.

While many members of the security industry have warned that the Shellshock vulnerability might affect a lot of IoT devices, Red Hat has clarified in an FAQ that many embedded devices actually utilize more lightweight solutions, such as BusyBox, which includes a shell that is not vulnerable.

Advertisement. Scroll to continue reading.

Mac OS X systems are affected by the flaw, but Apple has clarified that users should not be concerned, unless they have configured advanced UNIX services. The company says it is working on a patch for advanced UNIX users. Mac security firm Intego has published a blog post detailing two possible attack scenarios.

In the meantime, cybercriminals have already started exploiting the vulnerability in the wild. Trend Micro has observed several pieces of malware that leverage the flaw, including an IRC bot.

Related Reading: What We Know About Shellshock So Far, and Why the Bash Bug Matters

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.