Bash security update for RHEL / CentOS / Fedora

Red hat released the Bash vulnerability patch on 25 sep 2014. It right time to update your system bash. This issue affects all products which use the Bash shell and parse values of environment variables. The Bash Code Injection Vulnerability via Specially Crafted Environment Variables. So take further action to keep safe your LINUX BOX. Follow the below procedure to fix your Bash security update.

1) Checking Bash vulnerability

Use the below command to check Bash vulnerability on your linux box. If you got OOPS or vulnerable like below. you need to update your bash to fix the vulnerability. Yes my system also vulnerable and I’m going to fix it.

root@2daygeek [~]# env x='() { :;}; echo OOPS' bash -c /bin/true
OOPS
 
root@2daygeek [~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

2) Check Bash update available

Use the below command to check whether Bash update is available. Yes update is available.

root@2daygeek [~]# yum list bash
Loaded plugins: fastestmirror, security
Determining fastest mirrors
 * base: mirror.sov.uk.goscomb.net
 * extras: centos.hyve.com
 * updates: mirror.synergyworks.co.uk
base                                                                                                                     | 3.7 kB     00:00     
extras                                                                                                                   | 3.3 kB     00:00     
updates                                                                                                                  | 3.4 kB     00:00     
updates/primary_db                                                                                                       | 5.3 MB     00:00     
Installed Packages
bash.x86_64                                                      4.1.2-15.el6_4                                                         @updates
Available Packages
bash.x86_64                                                      4.1.2-15.el6_5.2                                                       updates

3) Update your system Bash

Use the below command to update your Bash to fix the vulnerability.

root@2daygeek [~]# yum update bash
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: mirror.sov.uk.goscomb.net
 * extras: centos.hyve.com
 * updates: mirror.synergyworks.co.uk
.
.

4) Checking Bash vulnerability

Now, Check once again using the same command which we used in first. Yes vulnerability fixed. I’m moving for coffe to enjoy.

root@2daygeek [~]# env x='() { :;}; echo OOPS' bash -c /bin/true
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

root@2daygeek [~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

SECOND FIX UPDATE : CVE-2014-7169

Shellshock Bash Code Injection Vulnerability CVE-2014-6271 fix was incomplete. Redhat security team was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. For updated fix is CVE-2014-7169. For more details

If you done FIRST FIX UPDATE : CVE-2014-6271 then run the below command, your output is like below.

root@2daygeek [~]# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'
test

If you done FIRST FIX UPDATE : CVE-2014-6271 with additional fixes from RHSA-2014:1306, RHSA-2014:1311 and RHSA-2014:1312 produce the following output. If so you have done FIRST FIX UPDATE properly.

root@2daygeek [~]# env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'
test

The SECOND FIX UPDATE : CVE-2014-7169 to ensures that the system is protected from the file creation issue, run the below command. If your system is vulnerable, the time and date information will be output on the screen and a file called /tmp/echo will be created

root@2daygeek [~]# cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Mon Oct  6 06:37:50 BST 2014

If your system is not vulnerable, you will see the below output

date
cat: /tmp/echo: No such file or directory

If your system is vulnerable, run the below command to update your system bash to recent version to fix it.

root@2daygeek [~]# yum update bash

Shellshock Bash Code Injection Vulnerability affected Ubuntu also, For details

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

Leave a Reply

Your email address will not be published. Required fields are marked *