How to detect and patch Shellshock vulnerability in bash​​

Question: I would like to know how to test whether or not my Linux server is vulnerable to bash Shellshock bug, and how to protect my Linux server against the Shellshock exploit.

On September 24, 2014, a bash vulnerability nicknamed "Shellshock" (aka "Bashdoor" or "Bash bug") was discovered by a security researcher named Stephane Chazelas. This flaw, if exploited, allows a remote attacker to run arbitrary code by exporting function definitions inside specially crafted environment variables before calling the shell. Then the code inside these functions can get executed as soon as bash is invoked.

Note that Shellshock affects bash versions 1.14 through 4.3 (current), and although at the time of this writing no definitive and complete fix for this vulnerability has been found, and major Linux distributors (Debian, Red Hat, CentOS, Ubuntu, and Novell/Suse) have released patches that address the bugs related to it (CVE-2014-6271 and CVE-2014-7169), and recommended updating bash as soon as possible, and continuing to check for updates over the next several days:

Test for Shellshock Bug

To check if your Linux system is vulnerable to Shellshock bug, type the following command in a terminal.

$ env x='() { :;}; echo "Your bash version is vulnerable"' bash -c "echo This is a test"

If your Linux system is exposed to Shellshock exploit, the output of the command will be:

Your bash version is vulnerable
This is a test

In the above command, an environment variable called x is made available to the user environment. It does not contain a value as we know it (but a dummy function definition) followed by an arbitrary command (in red), which will be executed before bash is called later on.

Apply Fix for Shellshock Bug

You can install the newly released patch for bash as follows.

On Debian and derivatives:

# aptitude update && aptitude safe-upgrade bash

On Red Hat-based distributions:

# yum update bash

Before patch:

Debian:

CentOS:

After patch:

Debian:

CentOS:

Note that the version has not changed in each chosen distribution before and after installing the patch - but you can verify that it has been installed by observing the behavior of the update commands (most likely you will be asked beforehand in order to confirm the installation).

If for some reason you can't install the patch, or if your distribution has not yet released one, it is recommended to use another shell until a fix comes up.

Download this article as ad-free PDF (made possible by your kind donation): 
Download PDF

Subscribe to Ask Xmodulo

Do you want to receive Linux related questions & answers published at Ask Xmodulo? Enter your email address below, and we will deliver our Linux Q&A straight to your email box, for free. Delivery powered by Google Feedburner.


Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

Leave a comment

Your email address will not be published. Required fields are marked *