Hi!
You can test the vulnerability CVE-2014–6271 (for example) whith this command:
A="() { ignored; }; /bin/date" bash
If it prints something like
bash: warning: A: ignoring function definition attempt
bash: error importing function definition for `A'
You are OK. But if you see something like
Wed Sep 24 17:24:59 CEST 2014
Your system is vulnerable. For each major OS there should by an update (patch) for this issue. The command to update your OS depends on your OS. E.g., for Ubuntu/debian:
sudo apt-get update && sudo apt-get upgrade
However, RedHat updated their article and informed that the current patch is incomplete:
Red Hat has become aware that the patch for CVE-2014-6271 is incomplete.
An attacker can provide specially-crafted environment variables containing
arbitrary commands that will be executed on vulnerable systems under certain
conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working
on patches in conjunction with the upstream developers as a critical priority.
You can test this (second) vulnerability with the command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see the line:
this is a test
in the output (with some bash errors), you are still vulnerable. You can temporary fix it with a workaround mentioned in the RedHat article (or wait for a second patch).
sudo apt-get update && sudo apt-get install –only-upgrade bash
That will only fix the first vulnerability. There’s another waiting in the wings. Is there anything that can be done in the mean time?
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
Seuros -
Thank you for your answer. This is egg-zactly what I needed to make my droplet safe again.
cfg83
sudo apt-get update && sudo apt-get install –only-upgrade bash didn’t upgrade bash to a recent enough version, but worked after I ran do-release-upgrade to upgrade my Ubuntu version. Just FYI in case the command doesn’t initially work for you.
@b3n Right. It’s important to note that only currently supported release will receive this update. This does not include 13.10 or 13.04. These have reached “end of life” and do not receive updates. It’s highly recommended that you run one of the Ubuntu “Long Term Support” releases like 14.04 or 12.04. These continue to receive security patches for 5 years while the interim releases are only supported for 9 months.