Introduction
On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the “Bash Bug”, was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bash’s ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock; all unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.
The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following:
- Apache HTTP Servers that use CGI scripts (via
mod_cgiandmod_cgid) that are written in Bash or launch to Bash subshells - Certain DHCP clients
- OpenSSH servers that use the
ForceCommandcapability - Various network-exposed services that use Bash
A detailed description of the bug can be found at CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.
Because the Shellshock vulnerability is very widespread–even more so than the OpenSSL Heartbleed bug–and particularly easy to exploit, it is highly recommended that affected systems are properly updated to fix or mitigate the vulnerability as soon as possible. We will show you how to test if your machines are vulnerable and, if they are, how to update Bash to remove the vulnerability.
Check System Vulnerability
On each of your systems that run Bash, you may check for Shellshock vulnerability by running the following command at the bash prompt:
env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
The highlighted echo Bash is vulnerable! portion of the command represents where a remote attacker could inject malicious code; arbitrary code following a function definition within an environment variable assignment. Therefore, if you see the following output, your version of Bash is vulnerable and should be updated:
Bash is vulnerable!
Bash Test
If your output does not include the simulated attacker’s payload, i.e. “Bash is vulnerable” is not printed as output, you are protected against at least the first vulnerability (CVE-2014-6271), but you may be vulnerable to the other CVEs that were discovered later. If there are any bash warnings or errors in the output, you should update Bash to its latest version; this process is described in the next section.
If the only thing that is output from the test command is the following, your Bash is safe from Shellshock:
Bash Test
Test Remote Sites
If you simply want to test if websites or specific CGI scripts are vulnerable, use this link: ‘ShellShock’ Bash Vulnerability CVE-2014-6271 Test Tool.
Simply enter the URL of the website or CGI script you want to test in the appropriate form and submit.
Fix Vulnerability: Update Bash
The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash. The following subsections cover updating Bash on various Linux distributions, including Ubuntu, Debian, CentOS, Red Hat, and Fedora.
APT-GET: Ubuntu / Debian
For currently supported versions of Ubuntu or Debian, update Bash to the latest version available via apt-get:
sudo apt-get update && sudo apt-get install --only-upgrade bash
Now check your system vulnerability again by running the command in the previous section (Check System Vulnerability).
End of Life Ubuntu / Debian Releases
If you are running a release of Ubuntu / Debian that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash. The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):
sudo do-release-upgrade
After the upgrade is complete, ensure that you update Bash.
YUM: CentOS / Red Hat / Fedora
Update Bash to the latest version available via yum:
sudo yum update bash
Now check your system vulnerability again by running the command in the previous section (Check System Vulnerability).
End of Life CentOS / Red Hat / Fedora Releases
If you are running a release of CentOS / Red Hat / Fedora that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash. The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):
sudo yum update
After the upgrade is complete, ensure that you update Bash.
Conclusion
Be sure to update all of your affected servers to the latest version of Bash! Also, be sure to keep your servers up to date with the latest security updates!
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author
Software Engineer @ DigitalOcean. Former Señor Technical Writer (I no longer update articles or respond to comments). Expertise in areas including Ubuntu, PostgreSQL, MySQL, and more.
Still looking for an answer?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Ubuntu now has the latest version of Bash sent out to their repositories. More info here:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html
Thanks for this. Fixed it on my home computer and remote server. Awesome!
After update, is there any need to restart anything ??
I am with CentOS 6.5 x32
Hey Guys,
I just checked & updated the path on one of our production server.
After doing a “yum update bash”, rechecked:
env VAR=‘() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test”
It simply gave below output:
Bash Test
Is this still vulnerable or patches updated? Please suggest.
Cheers, Vasu
Here’s Puppet code to patch it on CentOS:
exec { 'patch_shellshock_security_hole':
command => "/usr/bin/yes | /usr/bin/yum update bash; touch /root/shellshock_bug_has_been_patched",
creates => '/root/shellshock_bug_has_been_patched',
}
I have just tested this code and it worked fine on CentOS 6.4.
Ross
i have 4.5.1(1) on 2 Ubuntu Servers. Does that mean not vulnerable? Test says otherwise. You state 4.3 is the latest.
I think, even if it’s not vulnerable, it’s a good idea to update bash to lastest version
I have Ubuntu 12.10 that is not more supported… what the best way to upgrade?
I hadn’t touched my droplet in quite a while - turns out I’m on 12.04 which has been EOL’ed and can’t seem to be updated. Any suggestions on how to handle this?
The CentOS yum repository has the fix. I just installed it on my CentOS 6.5 droplets.
Not so fast! Give it a try, still vulnerable!
env -i X=' () { }; echo hello' bash -c 'date'
if you have some old / EOL release, this code may help you.
it requires you to have a compiler, patch & make, as such you may need to install these packages
for Ubuntu you can do
for CentOS/variants
(you may uninstall them afterwards if you no longer need)
after that, you can install bash from scratch, follow these commands (taken from the internet somewhere)
can first “cd /tmp” or start in any directory of your choice; must be executed as root [updated 2014-09-27 0900 EST [GMT-0500] now 26 patches instead of 25] [updated 2014-09-28 0900 EST [GMT-0500] now 27] [updated 2014-10-01 1400 EST [GMT-0500] now 28] [updated 2014-10-02 2300 EST [GMT-0500] now 29]
mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 0 30); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 0 30);do patch -p0 < ../bash43-$i; done
#build and install
./configure && make && make install
cd ..
cd ..
rm -r src
after this you should have the newest bash installed on your system
run the test again to check yourself
env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
you should be good to go now!
Replying to gd
Hope this works, last time I tried to do an upgrade on the droplet I use for testing it blew up my wordpress site and I just rolled it back (props for snapshot). Unfortunately I have not had the time to work on those issues more and am still running 13.10. I assume after I get bash installed I can remove gcc, make and patch if they are not needed anymore?
Replying to gd
You Sir, are a F$%king legend. You have just made me one very happy server admin :-) Kudos
Replying to gd
change the loop values from 25 to 26 to include the latest patch (26-Sep-2014 17:02)
Replying to gd
The patches have been updated again - please change the loop from 26 to 27.
To update from an older version of ubuntu (e.g. saucy), run this first:
sudo sed -i 's/saucy/trusty/g' /etc/apt/sources.list
That will update your sources to the newer ones. It might cause some incompatibility eventually, but it let me fix this problem for now.
I did the update and now can no longer SSH into my droplet. Anyone have any thoughts?
For people using ServerPilot to manage servers running PHP and WordPress sites, your servers are already patched. More info here:
https://www.serverpilot.io/blog/2014/09/25/bash-shellshock-security-updates.html
Ubuntu here… 4 droplets. Worked for versions 12.04 and 14.04 but not working in version 13.10
after running the apt-get command
… bash is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 84 not upgraded.
but vulnerability still there based in the test for version 13.10 as i said.
Thanks for making it easy. Just two commands, one to see that I need a fix and one to fix it. All done! I’m no linux guru, I just want to run a wordpress server!
I have some droplets with:
Distributor ID: Ubuntu Description: Ubuntu 12.10 Release: 12.10 Codename: quantal
And they don’t update. What i need to do so?
i mean, threre wont be a patch for this (others) version?
This comment has been deleted
For older versions of Ubuntu you can follow the steps here:
http://cloudgames.com/blog/fix-bash-exploit-old-new-releases-ubuntu-apt-get/
You can update the respository to get the latest bash version and then can always set the repository back to the original after updating bash.
Here is what I did for my Ubuntu droplet…
apt-get update && apt-get -y upgrade apt-get install -y bash
seems to have worked
I do an apt-get update and even an apt-get upgrade on my Debian(6) squeeze and it says all packages are up to date so sudo apt-get update && sudo apt-get install --only-upgrade bash does not do anything. Bash is latest version and still not fixed, any other way i can update it?
If the test on http://shellshock.brandonpotter.com/ is showing no vulnerabilities, but the bash test command does show vulnerabilities, do you think we are safe to wait until the full fix is released?
Thank you,
Hello -
Is it really fixed? :
Still more vulnerabilities in bash? Shellshock becomes whack-a-mole http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/
From the above article I think it is not fixed.
cfg83
Hello -
On my 14.x Ubuntu droplet I am patched up to bash 4.3.11(1)-release
I went here :
https://twitter.com/taviso/status/514887394294652929
And tried this test :
env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("
And got this output :
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
echo vuln
still vulnerable :(
Question: Is the above test legitimate?
cfg83
This comment has been deleted
For older versions of Ubuntu you can follow the steps here:
http://cloudgames.com/blog/fix-bash-exploit-old-new-releases-ubuntu-apt-get/
You can update the respository to get the latest bash version and then can always set the repository back to the original after updating bash.
Here is what I did for my Ubuntu droplet…
apt-get update && apt-get -y upgrade apt-get install -y bash
seems to have worked
I do an apt-get update and even an apt-get upgrade on my Debian(6) squeeze and it says all packages are up to date so sudo apt-get update && sudo apt-get install --only-upgrade bash does not do anything. Bash is latest version and still not fixed, any other way i can update it?
If the test on http://shellshock.brandonpotter.com/ is showing no vulnerabilities, but the bash test command does show vulnerabilities, do you think we are safe to wait until the full fix is released?
Thank you,
Hello -
Is it really fixed? :
Still more vulnerabilities in bash? Shellshock becomes whack-a-mole http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/
From the above article I think it is not fixed.
cfg83
Hello -
On my 14.x Ubuntu droplet I am patched up to bash 4.3.11(1)-release
I went here :
https://twitter.com/taviso/status/514887394294652929
And tried this test :
env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("
And got this output :
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
echo vuln
still vulnerable :(
Question: Is the above test legitimate?
cfg83
Thanks. It worked out perfectly on Ubuntu 14.04 and 12.04.
Does anybody know how to upgrade bash on Debian lenny?
You must use the squeeze-lts repository in order to continue receiving updates to Debian 6 Squeeze
To add this repository, edit /etc/apt/sources.list and add the line
deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib
To update only bash, after running apt-get update use apt-get install --only-upgrade bash
If you’re using gd’s solution below to build from scratch, change the two loop values from 25 to 26:
for i in $(seq -f “%03g” 0 26); do …
because there is one more patch available, dealing with the latest vulnerability.
Thanks a lot, but is there any opportunity to update my OS X Server?
BTW, here is good HOWTO to protect web applications agains ShellShock, not only servers.
Debian 7 works great!
env VAR=‘() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test” Bash is vulnerable! Bash Test So… env VAR=‘() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test” Bash Test
Fucking thank you!!!
Just wanted to say thank you. I am very happy to see that the documentation is growing!
Keep up the excellent work and thank you for your detailed article!
Worked flawlessly on our gitlab
My debian server now passes the above “Check System Vulnerability” test. But I read elsewhere of the test below, which fails: env var='() {(a)=>' bash -c “echo date”; cat echo
Apparently a patched system should not print the date, but my system does. Is this something that requires action in addition to the instructions above?
This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.