Overview
A critical vulnerability has been discovered in GNU Bash by abusing specially crafted environment variables which allows local and remote code execution.
How to test if your bash is vulnerable
In a shell, execute the following, which is testing the system wide GNU Bash binary to test if you are vulnerable to CVE-2014-6271:
env x='() { :;}; echo vulnerable' bash -c "echo test"
To test if you are vulnerable to CVE-2014-7169:
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
If the date is not printed, you are not vulnerable to CVE-2014-7169.
Recommendations
You should apply the GNU Bash updates provided by the software distributors:
- Debian DSA-3032-1 bash
- Debian DSA-3035-1 bash
- Ubuntu USN-2362-1: Bash vulnerability
- Redhat Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
- Cisco GNU Bash Environmental Variable Command Injection Vulnerability
- CentOS
If you don’t have a patch for your distribution or if your distribution isn’t providing patches at all. Follow the below procedure to patch your bash from the upstream GNU Bash repository.
Concerning the various GNU Bash patches, the most critical fixes are from 025 to 027 stopping bash parser to be exposed to the untrusted input from the env variables. The later patches are mainly other recently discovered vulnerabilities with a lower impact than the original shellshock vulnerability.
Clone the current git repository of GNU Bash (includes the patch bash43-025, bash43-026 (fixing the Yacc parsing bug), bash43-027, bash43-028 (fixed bug reported by Florian Weimer), bash43-029 (fixed bug reported by Michal Zalewski)) and bash43-30.:
git clone git://git.sv.gnu.org/bash.git
cd bash
./configure
make
Then you can test the bash version
./bash --version
It should reflect version 4.3.30.
Then you should see if the system really is no longer vulnerable. Execute from the GNU Bash build directory:
env x='() { :;}; echo vulnerable' ./bash -c "echo test"
If your tests are successful, you can replace the existing GNU Bash binary. The ‘-f’ option is needed since the file is in use:
sudo cp -f ./bash /bin/bash
Don’t forget that currently running bash sessions need to be restarted, this can be checked with “lsof”.
Disabling the vulnerable bash functionality
Another option described by Andreas Bogk is to disable the whole vulnerable feature from bash. But you’ll need to check if the feature is required by any other software.
References
- CVE-2014-6271 - GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variable
- CVE-2014-6277 - GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables
- CVE-2014-7169 - GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables
- CVE-2014-7186 The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (
- CVE-2014-7187 Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026
- CVE-2014-6271 / Shellshock & How to handle all the shells!
Contact
If you have any question about this vulnerability, feel free to contact us.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.4 - 10 October 2014 - Bash patch 030 added - TLP:WHITE
- Version 1.3 - 4 October 2014 - Bash patch 029 added + upstream ok - TLP:WHITE
- Version 1.2 - 1 October 2014 - Bash patch 028 clarification added - TLP:WHITE
- Version 1.1 - 29 September 2014 - Updates reflecting changes to GNU Bash upstream - TLP:WHITE
- Version 1.0 - 24 September 2014 - TLP:WHITE