Shellshock - BASH vulnerability
Given the recent announcement of ‘Shellshock’, which targets BASH, will there be any advice/guidance on how to patch our VPS’s if they are vulnerable?
5 Answers
Hi,
The fix for CVE-2014-6271 was made available in the following versions:
| Distro | Bash version |
|---|---|
| Ubuntu 14.04 LTS | 4.3-7ubuntu1.1 |
| Ubuntu 12.04 LTS | 4.2-2ubuntu2.2 |
| Ubuntu 10.04 LTS | 4.1-2ubuntu3.1 |
| Debian 7 (wheezy) | 4.2+dfsg-0.1+deb7u1 |
| Debian 6 (squeeze) | 4.1-3+deb6u1 |
You can check the version by running apt-cache policy bash
This fix was incomplete and an additional CVE was filed, as CVE-2014-7169 Continue to apply furthur updates as they are released.
This article will be updated as new information becomes available:
On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable...
Hi!
You can test the vulnerability CVE-2014–6271 (for example) whith this command:
A="() { ignored; }; /bin/date" bash
If it prints something like
bash: warning: A: ignoring function definition attempt
bash: error importing function definition for `A'
You are OK. But if you see something like
Wed Sep 24 17:24:59 CEST 2014
Your system is vulnerable. For each major OS there should by an update (patch) for this issue. The command to update your OS depends on your OS. E.g., for Ubuntu/debian:
sudo apt-get update && sudo apt-get upgrade
However, RedHat updated their article and informed that the current patch is incomplete:
Red Hat has become aware that the patch for CVE-2014-6271 is incomplete.
An attacker can provide specially-crafted environment variables containing
arbitrary commands that will be executed on vulnerable systems under certain
conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working
on patches in conjunction with the upstream developers as a critical priority.
You can test this (second) vulnerability with the command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see the line:
this is a test
in the output (with some bash errors), you are still vulnerable. You can temporary fix it with a workaround mentioned in the RedHat article (or wait for a second patch).
[deleted]
Thanks for the detailed replies, I’ll be sure to do that once I get home
After the upgrade you can check if your still vulnerable by running this command:
env x=’() { :;}; echo vulnerable’ bash -c ‘echo hello’
This should return just:
hello
And NOT:
vulnerable
hello
Personally I’m checking the security updates a few times more than usual, because even the Debian patches came in rapid succession, the first fix wasn’t catching all the vulnerabilities.
Have another answer? Share your knowledge.
sudo apt-get update && sudo apt-get install –only-upgrade bash
That will only fix the first vulnerability. There’s another waiting in the wings. Is there anything that can be done in the mean time?
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
Seuros -
Thank you for your answer. This is egg-zactly what I needed to make my droplet safe again.
cfg83
sudo apt-get update && sudo apt-get install –only-upgrade bash didn’t upgrade bash to a recent enough version, but worked after I ran do-release-upgrade to upgrade my Ubuntu version. Just FYI in case the command doesn’t initially work for you.
@b3n Right. It’s important to note that only currently supported release will receive this update. This does not include 13.10 or 13.04. These have reached “end of life” and do not receive updates. It’s highly recommended that you run one of the Ubuntu “Long Term Support” releases like 14.04 or 12.04. These continue to receive security patches for 5 years while the interim releases are only supported for 9 months.