Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271 (aka Shellshock ), CVE-2014-7169). This is one the most vulnerable bug we have seen in Linux at current time. Due to this bug, we are seeing lots of business impact in entire world.
Details of CVE-2014-6271
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
Details of CVE-2014-7169
It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
How to Diagnose the flaw
Diagnostic command : 1
Use the following command
env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
If the output of the above command contains a line containing only the word vulnerable you are using a vulnerable version of Bash.
See the below given screenshot
Diagnostic command : 2
Run the below command for bash vulnerability check.
env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
The given below output suggested the system is vulnerable.
Diagnostic Command : 3
Run the below command for further diagnosis.
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>' bash -c "echo date"; cat /tmp/echo
In vulnerable system, date and time information will be output and /tmp/echo file will be created.
Recommended measures to fix bash vulnerability
Although the there is no permanent fix has been declared till the time of writing this post.
It is recommended to update or upgrade to new bash version. All the major distro and crucial repositories has already been updated with bash package with patch for this issue.
In RHEL 5,6,7 /CentOS 5,6,7 / Amazon Linux AMI
Use the below given command
# yum clean all # yum update bash OR # yum clean all # yum upgrade bash
In Ubuntu 10.x/12.x/14.x
Use the below given command
sudo apt-get update && sudo apt-get install --upgrade-only bash OR sudo apt-get update && sudo apt-get install bash
Recheck with diagnostic command
As we have already written the diagnostic command. After updating/upgrading the bash in servers, re-run the diagnostic command.
We have also run the diagnostic command after updating/upgarding the bash and found below given satisfied result. The outputs are favourable.
Note: Output has been taken from two different servers. Respectively both screenshot belongs to each server.
How I installed in production server in which internet was not available
I will give some brief idea, how I worked in this case. We have CentOS and RHEL servers in network. Whereas I also use Virtual box for testing. With the help of yum’s downloadonly plugin, I downloaded the updated bash rpm and scp to server. Where I used the rpm -Uvh command to update the bash package in server.
Suggest you to read about How to download RPM by using yum with installing in system
If you are facing issue with downloading the package or updating/upgrading the bash package. Drop your comments, I will be very glad to help you on this regard.
IMPORTANT : SELINUX guru, Dan Walsh blog on “What does SELinux do to contain the the bash exploit?”
Reference :
https://access.redhat.com/security/cve/CVE-2014-7169
https://access.redhat.com/security/cve/CVE-2014-6271
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://lists.centos.org/pipermail/centos/2014-September/146099.html