Question

Shellshock - BASH vulnerability

  • Posted September 25, 2014

Given the recent announcement of ‘Shellshock’, which targets BASH, will there be any advice/guidance on how to patch our VPS’s if they are vulnerable?

Subscribe
Share

sudo apt-get update && sudo apt-get install --only-upgrade bash

@b3n Right. It’s important to note that only currently supported release will receive this update. This does not include 13.10 or 13.04. These have reached “end of life” and do not receive updates. It’s highly recommended that you run one of the Ubuntu “Long Term Support” releases like 14.04 or 12.04. These continue to receive security patches for 5 years while the interim releases are only supported for 9 months.

sudo apt-get update && sudo apt-get install --only-upgrade bash didn’t upgrade bash to a recent enough version, but worked after I ran do-release-upgrade to upgrade my Ubuntu version. Just FYI in case the command doesn’t initially work for you.

Seuros -

Thank you for your answer. This is egg-zactly what I needed to make my droplet safe again.

cfg83

That will only fix the first vulnerability. There’s another waiting in the wings. Is there anything that can be done in the mean time?

[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi,

The fix for CVE-2014-6271 was made available in the following versions:

Distro Bash version
Ubuntu 14.04 LTS 4.3-7ubuntu1.1
Ubuntu 12.04 LTS 4.2-2ubuntu2.2
Ubuntu 10.04 LTS 4.1-2ubuntu3.1
Debian 7 (wheezy) 4.2+dfsg-0.1+deb7u1
Debian 6 (squeeze) 4.1-3+deb6u1

You can check the version by running apt-cache policy bash

This fix was incomplete and an additional CVE was filed, as CVE-2014-7169 Continue to apply furthur updates as they are released.

This article will be updated as new information becomes available:

Hi!

You can test the vulnerability CVE-2014–6271 (for example) whith this command:

A="() { ignored; }; /bin/date" bash

If it prints something like

bash: warning: A: ignoring function definition attempt
bash: error importing function definition for `A'

You are OK. But if you see something like

Wed Sep 24 17:24:59 CEST 2014

Your system is vulnerable. For each major OS there should by an update (patch) for this issue. The command to update your OS depends on your OS. E.g., for Ubuntu/debian:

sudo apt-get update && sudo apt-get upgrade

However, RedHat updated their article and informed that the current patch is incomplete:

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete.
An attacker can provide specially-crafted environment variables containing
arbitrary commands that will be executed on vulnerable systems under certain
conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working
on patches in conjunction with the upstream developers as a critical priority.

You can test this (second) vulnerability with the command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see the line:

this is a test

in the output (with some bash errors), you are still vulnerable. You can temporary fix it with a workaround mentioned in the RedHat article (or wait for a second patch).

After the upgrade you can check if your still vulnerable by running this command:

env x=‘() { :;}; echo vulnerable’ bash -c ‘echo hello’

This should return just: hello

And NOT: vulnerable hello

Personally I’m checking the security updates a few times more than usual, because even the Debian patches came in rapid succession, the first fix wasn’t catching all the vulnerabilities.

Thanks for the detailed replies, I’ll be sure to do that once I get home

This comment has been deleted