On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock, was disclosed. The vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bash’s ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock.
All unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.
The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following:
- Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
- Certain DHCP clients
- OpenSSH servers that use the ForceCommand capability
- Various network-exposed services that use Bash
Because the Shellshock vulnerability is very widespread–even more so than the OpenSSL Heartbleed bug–and particularly easy to exploit, it is highly recommended that affected systems are properly updated to fix or mitigate the vulnerability as soon as possible. We will show you how to test if your machines are vulnerable and, if they are, how to update Bash to remove the vulnerability.
- Check System Vulnerability
- Fix Vulnerability: Update Bash
01. Check System Vulnerability
On each of your systems that run Bash, you may check for Shellshock vulnerability by running the following command at the bash prompt:
The echo Bash is vulnerable! portion of the command represents where a remote attacker could inject malicious code; arbitrary code following a function definition within an environment variable assignment. Therefore, if you see the following output, your version of Bash is vulnerable and needs to be updated.
Bash is vulnerable! Bash Test
Otherwise, if your output does not include the simulated attacker's payload, i.e. "Bash is vulnerable" is not printed as output, your version of bash is not vulnerable. It may look something like this:
bash: warning: VAR: ignoring function definition attempt bash: error importing function definition for `VAR’ Bash Test
02. Fix Vulnerability: Update Bash
The quick way to fix this vulnerability is to use your package manager to update the version of Bash.
For Debian or Ubuntu based systems:
For CentOS or Red Hat or Fedora flavors:
For Mac OSx:
Do you have brew installed? If yes, follow below:
- Add /usr/local/bin/bash to /etc/shells
- Change the default shell with chsh -s /usr/local/bin/bash
Incase you would want to download and compile and do it the manual way, you can refer this documentation
Now re-run the test shown above and see the results you achieve. Also be sure to update all your affected servers to the latest version of Bash!