26 Sep

Security Advisory – Critical Bash Shell Vulnerability – Fix Available

A vulnerability has recently been disclosed in Bash (the GNU Bourne Again shell) which affects all systems running Linux. This vulnerability allows programs that allow users to provide values for variables to execute arbitrary commands with the privileges of the service. This issue does not permit direct privilege escalation. It has been assigned the ID CVE-2014-6271 [1] in the Common Vunerabilities and Exposures database. It has been given the nickname “Shellshock.”

CentOS and Debian patched this vulnerability partially on September 24, 2014 and issued further fixes on September 25, 2014 under new ID
CVE-2014-7169 [2]. To apply the fixes, you need only update the version of your installed Bash program. If you have created any services that run entirely as a Bash shell script, you should restart those services after updating. Bash-based services are not common.

Windows and FreeBSD servers do not use Bash by default and are not generally affected. If you have installed Bash on your server manually, you should make sure it is up to date using the process by which you originally installed it.

Please review the sections below to determine how to update Bash on your server.

CENTOS

To check which version of Bash is installed, run the following
command:

rpm -q bash

The version number should be greater than or equal than one of the
following:

* CentOS 5: bash-3.2-33.el5_10.4
* CentOS 6: bash-4.1.2-15.el6_5.2
* CentOS 7: bash-4.2.45-5.el7_0.4

The important portion of the version number is the part beginning with “.elX_” where X is 5, 6, or 7. If you read the part after the “_” as a decimal number, it must be greater than or equal than the version listed. For example, for “.el6_” the number should be “5.2” or any higher number.

If your version does not match, please run the following command and ensure an update to the bash package is included:

yum -y update bash

If no update is available, please try the following commands, then repeat the command above:

yum clean metadata

Red Hat published the following advisories regarding this
vulnerability:

* https://access.redhat.com/security/cve/CVE-2014-6271
* https://access.redhat.com/security/cve/CVE-2014-7169
* https://rhn.redhat.com/errata/RHSA-2014-1293.html
* https://rhn.redhat.com/errata/RHSA-2014-1306.html
* https://access.redhat.com/articles/1200223
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

DEBIAN 7

To check which version of Bash is installed, run the following
command:

dpkg -s bash | grep Version

The version number should be greater than or equal to 4.2+dfsg-0.1+deb7u3.

The notable part to look for is the “+deb7u3” at the end. If the last number is not 3 or higher, or the part after “+” is missing, you will need to upgrade. If your version does not match, please run the following command and ensure an update to the bash package is
included:

apt-get update
apt-get install -y bash

Debian published the following advisory regarding this vulnerability:

* https://www.debian.org/security/2014/dsa-3032
* https://www.debian.org/security/2014/dsa-3035