How to Protect Your Server Against the Shellshock Bash Vulnerability

Ubuntu now has the latest version of Bash sent out to their repositories. More info here:

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7169.html

Thanks for this. Fixed it on my home computer and remote server. Awesome!

After update, is there any need to restart anything ??

I am with CentOS 6.5 x32

Hey Guys,

I just checked & updated the path on one of our production server.

After doing a “yum update bash”, rechecked:

env VAR=‘() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test”

It simply gave below output:

Bash Test

Is this still vulnerable or patches updated? Please suggest.

Cheers, Vasu

Here’s Puppet code to patch it on CentOS:

exec { 'patch_shellshock_security_hole':
  command => "/usr/bin/yes | /usr/bin/yum update bash; touch /root/shellshock_bug_has_been_patched",
  creates => '/root/shellshock_bug_has_been_patched',
}

I have just tested this code and it worked fine on CentOS 6.4.

Ross

Same for Ubuntu 13.10?

i have 4.5.1(1) on 2 Ubuntu Servers. Does that mean not vulnerable? Test says otherwise. You state 4.3 is the latest.

I think, even if it’s not vulnerable, it’s a good idea to update bash to lastest version

I have Ubuntu 12.10 that is not more supported… what the best way to upgrade?

I hadn’t touched my droplet in quite a while - turns out I’m on 12.04 which has been EOL’ed and can’t seem to be updated. Any suggestions on how to handle this?

The CentOS yum repository has the fix. I just installed it on my CentOS 6.5 droplets.

Not so fast! Give it a try, still vulnerable!

env -i X=' () { }; echo hello' bash -c 'date'

https://shellshocker.net/

Thank you Digital Ocean, I am very happy with your hosting company :)

if you have some old / EOL release, this code may help you.

it requires you to have a compiler, patch & make, as such you may need to install these packages

for Ubuntu you can do

for CentOS/variants

(you may uninstall them afterwards if you no longer need)

after that, you can install bash from scratch, follow these commands (taken from the internet somewhere)

can first “cd /tmp” or start in any directory of your choice; must be executed as root [updated 2014-09-27 0900 EST [GMT-0500] now 26 patches instead of 25] [updated 2014-09-28 0900 EST [GMT-0500] now 27] [updated 2014-10-01 1400 EST [GMT-0500] now 28] [updated 2014-10-02 2300 EST [GMT-0500] now 29]

mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 0 30); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz 
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 0 30);do patch -p0 < ../bash43-$i; done
#build and install
./configure && make && make install
cd .. 
cd ..
rm -r src

after this you should have the newest bash installed on your system

run the test again to check yourself

env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

you should be good to go now!

To update from an older version of ubuntu (e.g. saucy), run this first:

sudo sed -i 's/saucy/trusty/g' /etc/apt/sources.list

That will update your sources to the newer ones. It might cause some incompatibility eventually, but it let me fix this problem for now.

I did the update and now can no longer SSH into my droplet. Anyone have any thoughts?

For people using ServerPilot to manage servers running PHP and WordPress sites, your servers are already patched. More info here:

https://www.serverpilot.io/blog/2014/09/25/bash-shellshock-security-updates.html

Ubuntu here… 4 droplets. Worked for versions 12.04 and 14.04 but not working in version 13.10

after running the apt-get command

… bash is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 84 not upgraded.

but vulnerability still there based in the test for version 13.10 as i said.

Thanks for making it easy. Just two commands, one to see that I need a fix and one to fix it. All done! I’m no linux guru, I just want to run a wordpress server!

I have some droplets with:

Distributor ID: Ubuntu Description: Ubuntu 12.10 Release: 12.10 Codename: quantal

And they don’t update. What i need to do so?

i mean, threre wont be a patch for this (others) version?

For older versions of Ubuntu you can follow the steps here:

http://cloudgames.com/blog/fix-bash-exploit-old-new-releases-ubuntu-apt-get/

You can update the respository to get the latest bash version and then can always set the repository back to the original after updating bash.

Here is what I did for my Ubuntu droplet…

apt-get update && apt-get -y upgrade apt-get install -y bash

seems to have worked

I do an apt-get update and even an apt-get upgrade on my Debian(6) squeeze and it says all packages are up to date so sudo apt-get update && sudo apt-get install --only-upgrade bash does not do anything. Bash is latest version and still not fixed, any other way i can update it?

Great article, well written and easy to follow. Thanks!

Thanks this really useful, i have fixed my bash!!!

If the test on http://shellshock.brandonpotter.com/ is showing no vulnerabilities, but the bash test command does show vulnerabilities, do you think we are safe to wait until the full fix is released?

Thank you,

Hello -

Is it really fixed? :

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/

From the above article I think it is not fixed.

cfg83

Hello -

On my 14.x Ubuntu droplet I am patched up to bash 4.3.11(1)-release

I went here :

https://twitter.com/taviso/status/514887394294652929

And tried this test :

env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

And got this output :

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
echo vuln
still vulnerable :(

Question: Is the above test legitimate?

cfg83

Thanks a lot, just fixed it on my holaunblocker.com droplet.

Thanks. It worked out perfectly on Ubuntu 14.04 and 12.04.

Does anybody know how to upgrade bash on Debian lenny?

You must use the squeeze-lts repository in order to continue receiving updates to Debian 6 Squeeze

To add this repository, edit /etc/apt/sources.list and add the line

deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib

To update only bash, after running apt-get update use apt-get install --only-upgrade bash

You all should have been using Zsh instead of Bash in the first place.

We all ought to be using Zsh instead of Bash in the first place.

If you’re using gd’s solution below to build from scratch, change the two loop values from 25 to 26:

for i in $(seq -f “%03g” 0 26); do …

because there is one more patch available, dealing with the latest vulnerability.

Thanks a lot, but is there any opportunity to update my OS X Server?

BTW, here is good HOWTO to protect web applications agains ShellShock, not only servers.

Debian 7 works great!

env VAR=‘() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test” Bash is vulnerable! Bash Test So… env VAR=‘() { :;}; echo Bash is vulnerable!’ bash -c “echo Bash Test” Bash Test

Fucking thank you!!!

Great article. Thanks for simplifying it.

Just wanted to say thank you. I am very happy to see that the documentation is growing!

Keep up the excellent work and thank you for your detailed article!

Worked flawlessly on our gitlab

My debian server now passes the above “Check System Vulnerability” test. But I read elsewhere of the test below, which fails: env var='() {(a)=>' bash -c “echo date”; cat echo

Apparently a patched system should not print the date, but my system does. Is this something that requires action in addition to the instructions above?