Shellshock — Update Your Bash, Gentlemen

Shellshock — Update Your Bash, Gentlemen

Recently, several serious vulnerabilities have been identified in popular operating systems. We can recall Heartbleed (an OpenSSL vulnerability), which affected most systems, as well as bugs in the FreeBSD network stack and privilege escalation issues in certain versions of the Linux kernel. A recent vulnerability discovered in the widely used shell, bash, has been named Shellshock (CVE-2014-6271, CVE-2014-7169).

In brief, this vulnerability lies in a bug in the interpreter that allows arbitrary code execution after user function code. The risk of this bug is significant, as arbitrary code can be sent in various ways — in cookies, HTTP request headers, local variables, and more. All bash versions from 1.14 to 4.3 are vulnerable, affecting not only traditional web servers but also many devices such as home routers, print servers, and even smartphones.

You can check for the vulnerability with a simple command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output contains the text “vulnerable”, then your bash version is outdated:

[root@vulnerable-server ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
[root@vulnerable-server ~]#

If it only outputs “this is a test”, your system is already updated:

[root@server ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
[root@server ~]#

If your server is using an outdated version of bash, it should be updated immediately.

Debian, Ubuntu

All modern versions can be easily updated using the apt-get package manager. Execute the following commands:

apt-get update
apt-get install --only-upgrade bash

For outdated versions, the recommended method is to update the system as a whole using the command do-release-upgrade. Always back up your data, inform users, and review the relevant documentation as updates might require adjustments to configuration files and settings.

CentOS, Fedora

Update bash in Red Hat family OS using yum:

yum update bash

FreeBSD

On FreeBSD, the main shell is tcsh; however, bash may be installed to run certain scripts. You can update bash in modern versions using:

pkg upgrade bash

For old versions where software is installed from /usr/ports, update the ports tree, then compile and install:

cd /usr/ports/shell/bash
make BATCH=yes build
make BATCH=yes deinstall
make BATCH=yes reinstall

Additionally, we recommend:

• ShellShock Tester
• Everything You Wanted to Know About the Shellshock Vulnerability (But Were Afraid to Ask)
• The Beginning of Active Use of Shellshock
• Host-Tracker: Check Your Host for Shellshock Vulnerability
• What is #shellshock?