Five additional bash bugs have been discovered since our post about the CVE-2014-6271 Shell Shock bug last week: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187. Vendors have been issuing patches to address vulnerabilities as they were announced and early versions of Shell Shock patches will not cover all the vulnerabilities. ZDNet has a good write up of tests that can be used to determine which vulnerabilities have been patched and which are still open to attacks.
As previously mentioned operating systems and network devices that use bash will need to be patched:
- Apple: The Register has an update with links to Apple patches.
- Cisco: A frequently updated Cisco Security Advisory breaks down supported Cisco products into “Under Investigation”, “Vulnerable”, and Confirmed Not Vulnerable”, and provides instructions on how to patch vulnerable products or how to purchase upgrades if you don’t have Cisco support.
- F5: F5 provides a list of vulnerability assessments by product and version.
- Oracle: Oracle’s security advisory uses the same Vulnerable/Not Vulnerable/Under Investigation breakdown as Cisco and provides links to available patches. You will need an Oracle account to get the patches.
- VMware: VMware’s Knowledge Base article 2090740 states that while ESX 4.0 and 4.1 are no longer supported they are potentially vulnerable and VMware will provide patches. The complete list of patches is available at VMSA-2014-0010 and includes patches for VMware virtual appliances. ESXi is not vulnerable as it uses the ash shell instead of bash.
Check with your vendor if they are not in the above list and check for updates frequently.