News

Patch for Bash security vulnerability proves insufficient

By admin
Spread the love

The patch for a security vulnerability in Bash, which allows attackers to run their own code on OS X and Linux, appears to be incomplete. In certain cases, systems are still vulnerable to the security vulnerability.

The patch that was rolled out Wednesday evening for the security problem in the bash shell is insufficient, according to Red Hat, among others. In some cases it is still possible to run custom code on systems with the bash shell. This includes Linux distributions, OS X and in some cases Android smartphones, for example if they use Cyanogenmod. Busybox, a collection of Unix tools, should also vulnerable are, despite Busybox not using Bash.

A new patch is currently being worked on to completely resolve the security issue. The vulnerability is less easy to use if the patch from Wednesday evening is installed. Before installing the patch, the bash shell automatically executes commands when they are added as an environment variable. After installing the patch, this is no longer the case, although in some cases an attacker can still trick the shell.

It is not yet clear how complicated it is to exploit the problem. In any case, it seems that it is no longer possible to exploit the bug via cgi scripts. As a result, routers, NAS systems, and devices like webcams with built-in web servers are likely to be a lot less vulnerable, though they’ll need to be patched first for Wednesday night’s issue.

The security issue in Bash came to light on Wednesday night. Any application that relies on the Bash shell is potentially vulnerable. This includes web servers, which can be tricked with HTTP requests. Also, dhcp clients are potentially vulnerable: a dhcp server could run its own code on a PC. That’s a problem on public Wi-Fi hotspots, for example.

Security researcher Robert Graham calls the bug in bash “as big as Heartbleed,” a vulnerability in OpenSSL that could read part of the contents of a server’s internal memory. That’s because there are so many different ways Linux software interacts with bash, Graham says. “We will never be able to phase out all software that is vulnerable to the bash bug,” he writes.

You might also like
News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Citrix warns of critical vulnerability in NetScaler ADC and Gateway

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Nvidia releases GeForce RTX 4060 Ti variant with 16GB memory