Shellshock - BASH vulnerability

September 25, 2014 8.4k views

Given the recent announcement of 'Shellshock', which targets BASH, will there be any advice/guidance on how to patch our VPS's if they are vulnerable?

5 Answers


The fix for CVE-2014-6271 was made available in the following versions:

Distro Bash version
Ubuntu 14.04 LTS 4.3-7ubuntu1.1
Ubuntu 12.04 LTS 4.2-2ubuntu2.2
Ubuntu 10.04 LTS 4.1-2ubuntu3.1
Debian 7 (wheezy) 4.2+dfsg-0.1+deb7u1
Debian 6 (squeeze) 4.1-3+deb6u1

You can check the version by running apt-cache policy bash

This fix was incomplete and an additional CVE was filed, as CVE-2014-7169 Continue to apply furthur updates as they are released.

This article will be updated as new information becomes available:

On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable...


You can test the vulnerability CVE-2014–6271 (for example) whith this command:

A="() { ignored; }; /bin/date" bash

If it prints something like

bash: warning: A: ignoring function definition attempt
bash: error importing function definition for `A'

You are OK. But if you see something like

Wed Sep 24 17:24:59 CEST 2014

Your system is vulnerable. For each major OS there should by an update (patch) for this issue. The command to update your OS depends on your OS. E.g., for Ubuntu/debian:

sudo apt-get update && sudo apt-get upgrade

However, RedHat updated their article and informed that the current patch is incomplete:

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete.
An attacker can provide specially-crafted environment variables containing
arbitrary commands that will be executed on vulnerable systems under certain
conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working
on patches in conjunction with the upstream developers as a critical priority.

You can test this (second) vulnerability with the command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see the line:

this is a test

in the output (with some bash errors), you are still vulnerable. You can temporary fix it with a workaround mentioned in the RedHat article (or wait for a second patch).

Thanks for the detailed replies, I'll be sure to do that once I get home

After the upgrade you can check if your still vulnerable by running this command:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

This should return just:

And NOT:

Personally I'm checking the security updates a few times more than usual, because even the Debian patches came in rapid succession, the first fix wasn't catching all the vulnerabilities.

Have another answer? Share your knowledge.