Mailinglist Archive: opensuse-security-announce (11 mails)

< Previous Next >
[security-announce] SUSE Shellshock Status Update
Hi folks,

A heads up on the current status of the so called "Shellshock" vulnerabilities
found in bash.

This is the original issue, that was embargoed and got public on Wednesday
September 24th, 1400 UTC.
This issue allows trivial code execution if an attacker can inject environment
variables into bash.

We have published online updates on September 24th as soon as the embargo ended.
Over the next days several more issues were found.

Another issue found shortly after release of the first one. This problem
so far only allowed overwriting of specific filenames (the first word
in the called shell script).
Due to this limitation of exploitability we considered it less severe
than the original problem.

A nesting issue of "HERE" documents, which could lead to crashes of bash,
but without controlled exploitation.

A nesting issue with "FOR" loops, which lead to bash parser errors
(but no crashes).
On Sunday the 28th we released a second round of bash security updates,
that fixed those 3 new CVEs.

This second round of updates also contains a hardening patch that changes the
function export to use a prefix of "BASH_FUNC_" and a suffix of "()".

This patch makes it impossible for attackers to exploit the function
parsing feature of bash altogether.

(If it would be possible for attackers to inject environment variables named
BASH_FUNC_xx() they could also inject variables like PATH, PS1,
LD_PRELOAD and others.)

Today, Wednesday Oct 1st, two more CVEs were published by Michael Zalewski:

CVE-2014-6277: Attacker controllable crash in bash that could lead to code

CVE-2014-6278: Code injection via parsing of function definitions in
environment variables.

Due to the environment variable hardening patch being included in our
second round of updates, both issues are not exploitable and so currently
no updates are being planned for these issues.

We have published a high level overview page for our enterprise customers:

If you are running an outdated SUSE Linux Enterprise installation (but have a
valid SLES
subscription) we will supply fixes for your outdated installation as a one-time
above page has links on how to get this offering.

More references:
TID on the original shellshock issues
TID on Oct 1st shellshock issues

Upstream documentation of new issues:

Our automated references:

Ciao, Marcus
< Previous Next >
This Thread
  • No further messages