Shellshock - BASH vulnerability

Posted on September 25, 2014

Given the recent announcement of ‘Shellshock’, which targets BASH, will there be any advice/guidance on how to patch our VPS’s if they are vulnerable?

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Juraj Kostolanský

September 25, 2014

Hi!

You can test the vulnerability CVE-2014–6271 (for example) whith this command:

A="() { ignored; }; /bin/date" bash

If it prints something like

bash: warning: A: ignoring function definition attempt
bash: error importing function definition for `A'

You are OK. But if you see something like

Wed Sep 24 17:24:59 CEST 2014

Your system is vulnerable. For each major OS there should by an update (patch) for this issue. The command to update your OS depends on your OS. E.g., for Ubuntu/debian:

sudo apt-get update && sudo apt-get upgrade

However, RedHat updated their article and informed that the current patch is incomplete:

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete.
An attacker can provide specially-crafted environment variables containing
arbitrary commands that will be executed on vulnerable systems under certain
conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working
on patches in conjunction with the upstream developers as a critical priority.

You can test this (second) vulnerability with the command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see the line:

this is a test

in the output (with some bash errors), you are still vulnerable. You can temporary fix it with a workaround mentioned in the RedHat article (or wait for a second patch).