On September 24, 2014, a GNU Bash vulnerability, referred to as
Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability
allows remote attackers to execute arbitrary code given certain
conditions, by passing strings of code following environment variable
assignments. Because of Bash's ubiquitous status amongst Linux, BSD, and
Mac OS X distributions, many computers are vulnerable to Shellshock;
all unpatched Bash versions between 1.14 through 4.3 (i.e. all releases
until now) are at risk.
The Shellshock vulnerability can be exploited on systems that are
running Services or applications that allow unauthorized remote users to
assign Bash environment variables. Examples of exploitable systems
include the following:
- Apache HTTP Servers that use CGI scripts (via
mod_cgiandmod_cgid) that are written in Bash or launch to Bash subshells - Certain DHCP clients
- OpenSSH servers that use the
ForceCommandcapability - Various network-exposed services that use Bash
Because the Shellshock vulnerability is very widespread--even more so than the OpenSSL Heartbleed bug--and particularly easy to exploit, it is highly recommended that affected systems are properly updated to fix or mitigate the vulnerability as soon as possible. We will show you how to test if your machines are vulnerable and, if they are, how to update Bash to remove the vulnerability.
Note: (Sept. 25, 2014 - 6:00pm EST) At the time of writing, only an "incomplete fix" for the vulnerability has been released. As such, it is recommended to update your machines that run Bash immediately, and check back for updates and a complete fix.
Check System Vulnerability
On each of your systems that run Bash, you may check for Shellshock vulnerability by running the following command at thebash prompt:env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
If you see output that looks like the following, your version of Bash is safe:
bash: warning: VAR: ignoring function definition attempt
bash: error importing function definition for `VAR'
Bash Test
If you see "Bash is vulnerable!" as part of your output, you need to update your Bash. The
echo Bash is vulnerable!
part of the command represents where a remote attacker could inject
malicious code, following a function definition within an environment
variable assignment. Read on to learn how to update Bash and fix the
vulnerability.Test Remote Sites
You may use this link to test specific websites and CGI scripts: 'ShellShock' Bash Vulnerability CVE-2014-6271 Test Tool.Fix Vulnerability: Update Bash
The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash. The following subsections cover updating Bash on various Linux distributions, including Ubuntu, Debian, CentOS, Red Hat, and Fedora.Note: (Sept. 25, 2014 - 6:00pm EST) At the time of writing, only an "incomplete fix" for the vulnerability has been released. As such, it is recommended to update your machines that run Bash immediately, and check back for updates and a complete fix.
APT-GET: Ubuntu / Debian
Update Bash to the latest version available viaapt-get:sudo apt-get update && sudo apt-get install --only-upgrade bash
YUM: CentOS / Red Hat / Fedora
Update Bash to the latest version available via theyum:sudo yum update bash
No comments: