Tutorial

How to Protect Your Server Against the Shellshock Bash Vulnerability

Published on September 26, 2014

Security

How to Protect Your Server Against the Shellshock Bash Vulnerability

Introduction

On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the “Bash Bug”, was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bash’s ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock; all unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.

The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables. Examples of exploitable systems include the following:

Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
Certain DHCP clients
OpenSSH servers that use the ForceCommand capability
Various network-exposed services that use Bash

A detailed description of the bug can be found at CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.

Because the Shellshock vulnerability is very widespread–even more so than the OpenSSL Heartbleed bug–and particularly easy to exploit, it is highly recommended that affected systems are properly updated to fix or mitigate the vulnerability as soon as possible. We will show you how to test if your machines are vulnerable and, if they are, how to update Bash to remove the vulnerability.

Check System Vulnerability

On each of your systems that run Bash, you may check for Shellshock vulnerability by running the following command at the bash prompt:

env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

The highlighted echo Bash is vulnerable! portion of the command represents where a remote attacker could inject malicious code; arbitrary code following a function definition within an environment variable assignment. Therefore, if you see the following output, your version of Bash is vulnerable and should be updated:

Bash is vulnerable!
Bash Test

If your output does not include the simulated attacker’s payload, i.e. “Bash is vulnerable” is not printed as output, you are protected against at least the first vulnerability (CVE-2014-6271), but you may be vulnerable to the other CVEs that were discovered later. If there are any bash warnings or errors in the output, you should update Bash to its latest version; this process is described in the next section.

If the only thing that is output from the test command is the following, your Bash is safe from Shellshock:

Bash Test

Test Remote Sites

If you simply want to test if websites or specific CGI scripts are vulnerable, use this link: ‘ShellShock’ Bash Vulnerability CVE-2014-6271 Test Tool.

Simply enter the URL of the website or CGI script you want to test in the appropriate form and submit.

Fix Vulnerability: Update Bash

The easiest way to fix the vulnerability is to use your default package manager to update the version of Bash. The following subsections cover updating Bash on various Linux distributions, including Ubuntu, Debian, CentOS, Red Hat, and Fedora.

APT-GET: Ubuntu / Debian

For currently supported versions of Ubuntu or Debian, update Bash to the latest version available via apt-get:

sudo apt-get update && sudo apt-get install --only-upgrade bash

Now check your system vulnerability again by running the command in the previous section (Check System Vulnerability).

End of Life Ubuntu / Debian Releases

If you are running a release of Ubuntu / Debian that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash. The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):

sudo do-release-upgrade

After the upgrade is complete, ensure that you update Bash.

YUM: CentOS / Red Hat / Fedora

Update Bash to the latest version available via yum:

sudo yum update bash

Now check your system vulnerability again by running the command in the previous section (Check System Vulnerability).

End of Life CentOS / Red Hat / Fedora Releases

If you are running a release of CentOS / Red Hat / Fedora that is considered end of life status, you will have to upgrade to a supported to use the package manager to update Bash. The following command can be used to upgrade to a new release (it is recommended that you back up your server and important data first, in case you run into any issues):

sudo yum update

After the upgrade is complete, ensure that you update Bash.

Conclusion

Be sure to update all of your affected servers to the latest version of Bash! Also, be sure to keep your servers up to date with the latest security updates!

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Mitchell Anicas

author

Still looking for an answer?

Ask a question Search for more help

Was this helpful?

10 Comments

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

756ea744b5d048f490eefa748d4f97 • September 25, 2014

Ubuntu now has the latest version of Bash sent out to their repositories. More info here:

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html

Daniel Gheorghe • September 26, 2014

Thanks for this. Fixed it on my home computer and remote server. Awesome!

hunky • September 26, 2014

After update, is there any need to restart anything ??

I am with CentOS 6.5 x32

vasuparvatham • September 26, 2014

Hey Guys,

I just checked & updated the path on one of our production server.

After doing a “yum update bash”, rechecked:

env VAR=‘() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test”

It simply gave below output:

Bash Test

Is this still vulnerable or patches updated? Please suggest.

Cheers, Vasu

Ross Williams • September 26, 2014

Here’s Puppet code to patch it on CentOS:

exec { 'patch_shellshock_security_hole':
  command => "/usr/bin/yes | /usr/bin/yum update bash; touch /root/shellshock_bug_has_been_patched",
  creates => '/root/shellshock_bug_has_been_patched',
}

I have just tested this code and it worked fine on CentOS 6.4.

Ross

5d7f3ae5e70092e467df4fd3001215 • September 26, 2014

Same for Ubuntu 13.10?

cyborg9799 • September 26, 2014

i have 4.5.1(1) on 2 Ubuntu Servers. Does that mean not vulnerable? Test says otherwise. You state 4.3 is the latest.

Xavior • September 26, 2014

I think, even if it’s not vulnerable, it’s a good idea to update bash to lastest version

esteban • September 26, 2014

I have Ubuntu 12.10 that is not more supported… what the best way to upgrade?

msomers • September 26, 2014

I hadn’t touched my droplet in quite a while - turns out I’m on 12.04 which has been EOL’ed and can’t seem to be updated. Any suggestions on how to handle this?