On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the “Bash Bug”, was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments.
The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following:
- Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
- Certain DHCP clients
- OpenSSH servers that use the ForceCommand capability
- Various network-exposed services that use Bash
Check System Vulnerability
On each of your systems that run Bash, you may check for Shellshock vulnerability by running the following command at the bash prompt:
env ‘VAR=() { :;}; echo Bash is vulnerable!‘ ‘FUNCTION()=() { :;}; echo Bash is vulnerable!‘ bash -c “echo Bash Test”
The highlighted echo Bash is vulnerable! portion of the command represents where a remote attacker could inject malicious code; arbitrary code following a function definition within an environment variable assignment. Therefore, if you see the following output, your version of Bash is vulnerable and should be updated:
Bash is vulnerable!
Bash Test
If your output does not include the simulated attacker’s payload, i.e. “Bash is vulnerable” is not printed as output, you are protected against at least the first vulnerability. If there are any bash warnings or errors in the output, you should update Bash to its latest version.
If the only thing that is output from the test command is the following, your Bash is safe from Shellshock:
Bash Test
Fix Vulnerability: Update Bash
For Debian Wheezy Users
If you are running the latest Debian release just run the following commands from your terminal
#apt-get update
#apt-get upgrade
For Debian Squeeze Users
If you are running squeeze you need to add the LTS apt source and update bash:
#vi /etc/apt/sources.list
Add the following lines
deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free
Save and exiting the file
Update the source list
#apt-get update
Upgrade bash to the latest version
#apt-get install -t squeeze-lts –only-upgrade bash