Secure your server from Bash Shellshock vulnerability

Bash is also called as ‘Bourne Again SHell‘, it act as a command processor allowing the users to interact with the system by interpreting text.  It executes commands read from the standard input or from a file with the help of a command language interpreter called sh.

The Shellshock vulnerability affects the bash shell that uses a subset of Linux. It allow users to issue commands to a computer using text input, rather than a graphic interface, with the help of this vulnerability attackers can read information, write information, run programs, copy and delete files.

Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.

The vulnerability comes from a value passed into an environment variable.

VAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash.

How to identify Shellshock vulnerability

The following command will help you to identify the  version of Bash installed on your server is vulnerable to CVE-2014-6271.

env VAR='() { :;}; echo vulnerable bash version’ bash -c “echo Bash Test”

If the output contains the highlighted part “vulnerable bash version” then your bash shell is vulnerable. The remote attackers can inject malicious codes after the end of  a Bash function.

env VAR='() { :;}; echo vulnerable bash version’ bash -c “echo Bash Test”
vulnerable bash version
Bash Test

If your system is not vulnerable then you will get an  output similar to the one give below.

env VAR='() { :;}; echo vulnerable bash version’ bash -c “echo Bash Test”
Bash Test

To test if your version of Bash is vulnerable to CVE-2014-7169, run the following command:

cd /tmp; rm -f /tmp/echo; env ‘x=() { (a)=>\’ bash -c “echo date”; cat /tmp/echo

If your system is vulnerable to CVE-2014-7169 then the above command will create a new file called echo under the folder /tmp and writes time and date information in it.

cd /tmp; rm -f /tmp/echo; env ‘x=() { (a)=>\’ bash -c “echo date”; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `=’
bash: x: line 1: `’
bash: error importing function definition for `x’
Sun Sep 26 07:10:49 UTC 2014

If your system is not vulnerable then you will get an  output similar to the one give below.

cd /tmp; rm -f /tmp/echo; env ‘x=() { (a)=>\’ bash -c “echo date”; cat /tmp/echo
date
cat: /tmp/echo: No such file or directory

How to fix these issues?

You can fix these issues by updating the current bash version installed on your server to the most recent one.

CentOS / Red Hat / Fedora

yum update bash

Ubuntu / Debian

sudo apt-get update && sudo apt-get install –only-upgrade bash

Refrence: https://access.redhat.com/articles/1200223

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts