Administration Security

Bash Code Injection Vulnerability (Shellshock)

Products Affected:

Product/Channel Fixed in package Remediation details
Red Hat Enterprise Linux 7 bash-4.2.45-5.el7_0.2 Red Hat Enterprise Linux
Red Hat Enterprise Linux 6 bash-4.1.2-15.el6_5.1 Red Hat Enterprise Linux
bash-4.1.2-15.el6_5.1.sjis.1 Red Hat Enterprise Linux
bash-4.1.2-9.el6_2.1 Red Hat Enterprise Linux 6.2 AUS
bash-4.1.2-15.el6_4.1 Red Hat Enterprise Linux 6.4 EUS
Red Hat Enterprise Linux 5 bash-3.2-33.el5.1 Red Hat Enterprise Linux
bash-3.2-33.el5_11.1.sjis.1 Red Hat Enterprise Linux
bash-3.2-24.el5_6.1 Red Hat Enterprise Linux 5.6 LL
bash-3.2-32.el5_9.2 Red Hat Enterprise Linux 5.9 EUS
Red Hat Enterprise Linux 4 bash-3.0-27.el4.2 Red Hat Enterprise Linux 4 ELS

 

Check the version:

[root@server]# rpm -qa | grep bash
bash-completion-1.3-7.el6.noarch
bash-4.1.2-15.el6_4.x86_64

Diagnostic Steps:

Exploit 1 (CVE-2014-6271)

There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see “vulnerable” you need to update bash. Otherwise, you should be good to go.

Exploit 2 (CVE-2014-7169)

Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.

env X='() { (shellshocker.net)=>' bash -c "echo date"; cat echo ; rm -f echo

If the above command outputs the current date (it may also show errors), you are still vulnerable.

Exploit 3 (???)

Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.

env -i X=' () { }; echo hello' bash -c 'date'

If the above command outputs “hello”, you are vulnerable.

Exploit 4 (CVE-2014-7186)

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
echo "CVE-2014-7186 vulnerable, redir_stack"

A vulnerable system will echo the text “CVE-2014-7186 vulnerable, redir_stack”.

Exploit 5 (CVE-2014-7187)

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"

A vulnerable system will echo the text “CVE-2014-7187 vulnerable, word_lineno”.

Run update:

[root@server ~]# yum update bash
Loaded plugins: downloadonly, fastestmirror, priorities
Loading mirror speeds from cached hostfile
epel/metalink                                            |  16 kB     00:00
 * base: mirror.hmc.edu
 * epel: mirrors.solfo.com
 * extras: centos.sonn.com
 * updates: linux.mirrors.es.net
base                                                     | 3.7 kB     00:00
extras                                                   | 3.3 kB     00:00
updates                                                  | 3.4 kB     00:00
updates/primary_db                                       | 5.3 MB     00:00
81 packages excluded due to repository priority protections
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated
---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch            Version                   Repository        Size
================================================================================
Updating:
 bash          x86_64          4.1.2-15.el6_5.1          updates          905 k

Transaction Summary
================================================================================
Upgrade       1 Package(s)

Total download size: 905 k
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-15.el6_5.1.x86_64.rpm                         | 905 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
  Cleanup    : bash-4.1.2-15.el6_4.x86_64                                                                                                                                                        2/2
  Verifying  : bash-4.1.2-15.el6_5.1.x86_64                                                                                                                                                      1/2
  Verifying  : bash-4.1.2-15.el6_4.x86_64                                                                                                                                                        2/2

Updated:
  bash.x86_64 0:4.1.2-15.el6_5.1

Complete!

[root@server ~]# rpm -qa | grep bash
bash-4.1.2-15.el6_5.1.x86_64
bash-completion-1.3-7.el6.noarch

Test after update:

[root@server ~]# env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

For Ubuntu Systems:

apt-get update; apt-get install --only-upgrade bash

For Arch Linux:

pacman -Sy bash

A reboot is not required after the update.

Resources:

https://access.redhat.com/articles/1200223

http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924

http://seclists.org/oss-sec/2014/q3/685

http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained