A remote code exploitation dubbed ‘Shell Shock’ has been uncovered by Stéphane Chazelas, a security and Linux specialist working for a large software firm. Here’s how to fix the vulnerability on CentOS, Ubuntu and Mac and figure out if your systems are vulnerable or not.

[no_toc]

Over 1 Million Systems / Devices May Be Affected

Bash Remote Code Exploitation Bug.png

The media was quick at hand stating that this bug was worse than the Heartbleed bug. They’re right and wrong. They’re right, this is bad, really bad, because a lot of old machines and devices cannot be patched or will never be patched and are vulnerable for life allowing hackers to access your security cameras, DVR’s and other non-fixed devices. On the other hand, awareness is spreading quickly and a patch has been issued already. It has been estimated that only a few million devices are affected.

How To Determine If Your System Is Vulnerable

Open up a terminal and run the following command:

rpm -qa bash

You should get something like bash-4.1.2-15.el6_5.1.x86_64 if your system is running the latest patches.

Rpm Qa Bash Determines Bash Version.png

The following versions of Bash are already fixed and apparently only partially affected by the bug:

  • Red Hat Enterprise Linux 7 – bash-4.2.45-5.el7_0.2
  • Red Hat Enterprise Linux 6 – bash-4.1.2-15.el6_5.1
  • Red Hat Enterprise Linux 5 – bash-3.2-33.el5.1

How Close Is Red Hat (RHEL) to CentOS?

CentOS is basically the free non-trademarked version of RedHat Linux. In regard to Bash, CentOS is exactly the same, so the versions are the same.

WAIT, My System Runs An Old Version, How Do I Update Bash on CentOS?

If you’re on CentOS / RedHat, updating Bash is easy to do and if you’re using a control panel like WHM it should already have the latest “safe” version of bash.

Simply run this command:

yum update bash

I’m On Ubuntu Or A Similar Distribution

Some Linux users on Ubuntu and other distributions have to run:

apt-get update bash

WAIT, How Do I Determine What Linux Version I Am Running?

This depends on your Linux distribution, but you should be able to get results by running the following command

cat /etc/*release*

If you’re on CentOS 6 you will get back something like:

  • CentOS release 6.5 (Final)
  • CentOS release 6.5 (Final)
  • CentOS release 6.5 (Final)

You can now compare the bash versions above with your own and determine if your system is vulnerable.

What else should I know about this bug?

Mac users are greatly affected. Apparently some versions of Mac run a very old bash version. If you run any Apple devices, make sure to update them.

Some devices allow you to log into bash manually. For that you have to connect the device to a network and then you can access the device via its IP. If you’re on Windows you can use Putty to log into some machines. Read the manual of the device for further instructions. Apparently, security cameras are also often affected.

I’m On Ubuntu, What Else Can You Tell Me?

Ubuntu users are just as vulnerable as some Mac users.

To check your bash package version you can use dpkg:

dpkg -s bash | grep Version

The following Ubuntu Bash versions are considered ‘fixed’:

  • 4.3-7ubuntu1.1
  • 4.2-2ubuntu2.2
  • 4.1-2ubuntu3.1

My company only runs on Microsoft products, am I safe?

For this, I would like to refer you to Troy Hunt, Microsoft MVP and security specialist who wrote extensively about ShellShock and its potential ramifications for Microsoft users:

ShellShock and Windows

Update: Windows devs be aware that msysgit includes a vulnerable bash version.

 

UPDATES 27-09:

  • – The primary attack vector are old CGI scripts, however it cannot be ruled out that new ways of exploitation will be found
  • – A worm exploiting the bug has been found
  • – A good workaround is to use a different shell other than bash

 

UPDATES 30.09:

RedHat has released a warning:

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. Source

According to RedHat.com, a malware has been identified that is actively exploiting the shellshock vulnerability and that the issued patch is not fixing the problem. In the meantime, all you really can do is to switch to a bash alternative and remove bash.

RedHat also issued a code example that you can run to check if your system is vulnerable. However, I found it to be very unreliable on CentOS (maybe it is more reliable for RedHat users), it is a better solution to check against the installed bash version:

$ env 'x=() { :;}; echo this system is vulnerable' 'BASH_FUNC_x()=() { :;}; echo this system is vulnerable' bash -c "echo testing only"