Shellshock Bash Important Vulnerability

10 years ago

Announce a severe vulnerability called shellshock affects many version of bash – is a 22 year old bug, from version 1.13 and up to version 4.3- command interpreter which is a important security risk to unix linux and apple OS X system. Systems not using bash shell are not affected.

This is rated a top risk vulnerability and is more serious than the Heartbleed bug because shellshock exploits bash shell which is used by many millions of computers and routers in the world and heartbleed could be used for password stealing but shellshock can give attacker full access to system.

Shellshock puts especially apache web servers at risk because cgi scripts using bash are vulnerable to remote-code injection.  Also openssh and some dhcp client are also affected have system using bash.

CVE-2014-6271 says that process trailing string after function definitions in values of environment variable can mean remote attackers can run code such as is seen with forcecommand feature in openssh sshd, the mod_cgi and mod_cgid modules in apache http server. At time of writing bash version 3.2.51-1- still vulnerable so follow advice in later CVE-2014-6271.

How to check if your system is vulnerable

Windows or other systems not using bash

Such system are not vulnerable.

Apple OSX

$ rm -f echo $ env X='() { (a)=>\' sh -c "echo date"; cat echo sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `' sh: error importing function definition for `X'

If you see date in output of command above your bash is vulnerable. Official patch is not yet been released.

Linux

You can test system by running test command from terminal:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If not vulnerable you will see:

bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' hello

If your system is vulnerable you will see:

vulnerable hello

You can also check version of bash on system you are running:

bash --version

If you get version 3.2.51-1, you need to update. Many linux distributions are already patched.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *