Third patch brings more admin Shellshock for the battered and Bashed

A third patch, from Red Hat engineer Florian Weimer, has been released for the vulnerable Bash Unix command-line interpreter, closing off flaws found in two previous fixes.

Weimer's unofficial fix was adopted upstream by Bash project maintainer Chet Ramey and released as Bash-4.3 Official Patch 27 (bash43-027) which addressed a bunch of previously undisclosed flaws including two remote exploit bugs.

The first patch (CVE-2014-6271) released Wednesday when the Shellshock flaw dropped was rapidly bypassed. An ensuing fix failed to stop underlying and newly-discovered holes that may have resulted in security vulnerabilities.

The latest bug closed off remote code execution found after the second patch was applied which has not been made public.

"This patch changes the encoding bash uses for exported functions to avoid clashes with shell variables and to avoid depending only on an environment variable's contents to determine whether or not to interpret it as a shell function." Bash patch report.

Google security engineer Michal Zalewski described the patches in a blog and said the previous patches, while imperfect, reduced attack vectors.

"[The flawed patches] led to a round of high-profile press reports claiming that we're still doomed, and people assigning the new bug CVSS scores all the way up to 11. The reality was a bit more nuanced: the glitch demonstrated by Tavis' code is a bit less concerning, because it does not translate into a universally exploitable RCE (remote code execution) - at least not as far as we could figure it out," Zalewski said.

"At this point, I very strongly recommend manually deploying Florian's patch unless your distro is already shipping it."

The private remote code execution bug may be revealed in coming days, placing importance on the need for admins to apply the patches.

Sys admins can run the following script to determine if they had the latest patch applied:

foo='() { echo not patched; }' bash -c foo

The Shellshock vulnerability was under active attack from identities in China, Brazil and Russia, among other areas.

Security bods at FireEye reported attacks against the bug including DDoS attacks, malware droppers, reverse shell hacks, backdoors and data exfiltration.®