How to Protect Debian Server Against the Shellshock Bash Vulnerability

On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments.

The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following:

  • Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
  • Certain DHCP clients
  • OpenSSH servers that use the ForceCommand capability
  • Various network-exposed services that use Bash

Check System Vulnerability

On each of your systems that run Bash, you may check for Shellshock vulnerability by running the following command at the bash prompt:

env ‘VAR=() { :;}; echo Bash is vulnerable!‘ ‘FUNCTION()=() { :;}; echo Bash is vulnerable!‘ bash -c "echo Bash Test"

The highlighted echo Bash is vulnerable! portion of the command represents where a remote attacker could inject malicious code; arbitrary code following a function definition within an environment variable assignment. Therefore, if you see the following output, your version of Bash is vulnerable and should be updated:

Bash is vulnerable!
Bash Test

If your output does not include the simulated attacker's payload, i.e. "Bash is vulnerable" is not printed as output, you are protected against at least the first vulnerability. If there are any bash warnings or errors in the output, you should update Bash to its latest version.

If the only thing that is output from the test command is the following, your Bash is safe from Shellshock:

Bash Test

Fix Vulnerability: Update Bash

For Debian Wheezy Users

If you are running the latest Debian release just run the following commands from your terminal

#apt-get update

#apt-get upgrade

For Debian Squeeze Users

If you are running squeeze you need to add the LTS apt source and update bash:

#vi /etc/apt/sources.list

Add the following lines

deb squeeze-lts main contrib non-free
deb-src squeeze-lts main contrib non-free

Save and exiting the file

Update the source list

#apt-get update

Upgrade bash to the latest version

#apt-get install -t squeeze-lts --only-upgrade bash

Sponsored Link

Leave a comment

Your email address will not be published. Required fields are marked *