Sep 292014

The most new and dangerous bug around it’s the one called “shellshock”, this is a security bug in the widely used Unix Bash shell which was disclosed on 24 September 2014. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

The bug causes Bash to unintentionally execute commands when they are stored in specially crafted environment variables. Within days, a series of further related vulnerabilities in Bash were found, leading to the need for further patches.

By 25 September, botnets based on computers compromised with this exploit were being used by attackers for distributed denial-of-service attacks and vulnerability scanning, source wikipedia

Let’s see how to check if your computer or server is vulnerable.

Verify and see if you are vulnerable is fortunately very easy, just open a terminal and issue this command:

env x='() { :;}; echo vulnerable' bash -c "echo Shellshock test"

If your system is vulnerable you will see this output:

myuser@vulnerablepc:~> env x='() { :;}; echo vulnerable' bash -c "echo Shellshock test"
Shellshock test

So you get two lines of output, while if the system has already been upgraded you will get only the second line, or an output such as:

[me@mysafepc ~]$ env x='() { :;}; echo vulnerable' bash -c "echo Shellshock test"
Shellshock test

In this case you must immediately update your system.

Update of your system

To solve the problem just update the package bash, open a terminal and type the following instructions:

Debian, Ubuntu, Mint and derivates:

sudo apt-get update
sudo apt-get install bash

Fedora, CentOS, Red Hat and derivates:

sudo yum install bash

Gentoo and derivates

Depending on the version of bash that you are using there are different commands available

For example if you are using bash version 4.2, you can use these commands:

# emerge –sync
# emerge –ask –oneshot –verbose “>=app-shells/bash-4.2_p48-r1”

openSUSE and derivates:

sudo zypper install bash

Arch Linux and derivates as Chakra, Manjaro ecc:

sudo pacman -Sy bash

Once you have done the upgrade I suggest you to do a reboot of the system, at this point just redo the verification and you should have solved every problem!

Popular Posts:

Flattr this!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>