on security

Bash vulnerability - what it means and how to fix it

The RedHat team unconvered a little but nasty bug in bash today. It allows people to execute code on your machine without permission. I have seen two names being used: Shellshock and The Bash Bug.

Bash incorrectly parses functions in environment variables. Environment variables is usually ment for configuration settings. For example, Ruby on Rails has the RAILS_ENV-variable that usually is set to ‘development’ or ‘production’ so the application knows in which setting it should run.

How can it be used?

An example where this can be used is when you have access to a system via ssh, but with limited access (for example via git-shell or as a webhosting user). Most of the time you have the right to set environment variables to the system, and this can now be used to run any code.

If you allow your users to run cron scripts on the server, this can also be a way to run code via bash.

System calls from PHP scripts in CGI-mode can be vulnerable (but not if they are run with mod_php).

Check if your system is vulnerable

Most systems running bash are vulnerable, and Mac OS X in particular since they are using an old version of bash. You can input the following code in your terminal (don’t worry, all it does is print some text). I checked on a recently installed Ubuntu Server 14.04 LTS and it was also vulnerable.

Test 1

env x='() { :;}; echo vulnerable' bash -c 'echo test'

If it outputs ‘vulnerable’ then your system is not secure agains this attack and needs to be updated. If your system outputs ‘warning’ and a message that bash is ignoring the function definition attempt your system may be okay.

Test 2

Run the following command ls -l bashtest

It should output the following ls: cannot access bashtest: No such file or directory

Now run env -i X='() { (a)=>\' bash -c 'bashtest'

If you run ls -l bashtest again it should still output the same message as above. If it says something like -rw-r--r-- 1 root root 0 Sep 25 08:32 bashtest your system is vulnerable.

How to protect yourself

The easiest way would be to wait for a fix and then update your system. When I am writing this there is a fix out for most systems that fixes Test 1 above, but not yet a fix for Test 2. It wont hurt to upgrade right now, anyway and do a second upgrade later when fixes is available for both bugs. You can follow the discussion here if you are interested on installing a patch as soon as it is available.

Edit 2014-09-26: The update is out now and it should fix the second test too.

How to update bash on Ubuntu

apt-get update && apt-get install --only-upgrade bash

Or just run apt-get update && apt-get upgrade - it needs to be done sooner or later anyway.

How to update bash on Mac OS X

This thread on Stack Exchange has instructions on how to manually update. Given the severity of this bug I expect Apple to release a fix shortly.