aws

2014-09-25 Critical security issue in bash (CVE-2014-6271, CVE-2014-7169)

The CVE-2014-6271 (Shellshock) is a critical vulnerability in the bash shell that is remotely exploitable. The bash fix for CVE-2014-6271 was incomplete and command injection is possible even after the patch has been applied. The issue is being tracked as CVE-2014-7169 (Aftershock). After these vulnerabilities other issues has been found.

Find more information.

Secure your server

Ubuntu 14.04

Execute the following commands:

$ sudo apt-get update
$ sudo apt-get install bash

Ubuntu 12.10

Users of Ubuntu 12.10 may not be able to download the latest bash version from the repositories, as support for Ubuntu 12.10 officially ended on May 16 2014.

In this case, download and install the latest Debian package for Ubuntu 14.04:

  • For 64-bit Linux systems:

    $ wget http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.2-2ubuntu2.5_amd64.deb
    $ sudo dpkg -i bash_4.2-2ubuntu2.5_amd64.deb
    
  • For 32-bit Linux systems:

    $ wget http://security.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.2-2ubuntu2.5_i386.deb
    $ sudo dpkg -i bash_4.2-2ubuntu2.5_amd64.deb
    

Detect whether your server is vulnerable

Shellshock (CVE-2014-6271)

To test that you have successfully updated your installation, type:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see the following, you have successfully patched bash:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If you see the following, you are still vulnerable:

vulnerable
this is a test

Aftershock (CVE-2014-7169)

To test that you have successfully updated your installation, type:

$ env var='() {(a)=>\' bash -c "echo date"; cat echo; rm -f echo

If you see one of the following outputs, you have successfully patched bash:

bash: var: line 1: syntax error near unexpected token `='
bash: var: line 1: `'
bash: error importing function definition for `var'
date
cat: echo: No such file or directory

or

date
cat: echo: No such file or directory

If you see the following (with the current date at the end), you are still vulnerable:

bash: var: line 1: syntax error near unexpected token `='
bash: var: line 1: `'
bash: error importing function definition for `var'
Fri Sep 26 09:20:00 UTC 2014