bash vulnerability test

The Fedora project posted a simple test to determine if a system is subject to the bash shell vulnerability CVE-2014-6271 announced yesterday.

Another version of the test text can be found in an article by the Red Hat Security team:

[me@mine ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable the work “vulnerable” will be printed on the line before “this is a test” thus:

[me@mine ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a rest

This flaw in bash was originally reported to Red Hat on 14 September. Fixes to their source trees were applied before the public announcement at 10 AM EDT on 24 September. Updates for Red Hat products were released 2 hours later.

Per Red Hat a reboot is not required to effect these fixes.

There is a second, related, bug CVE-2014-7169 that is currently the subject of a workaround found in Bash Code Injection Vulnerability via Specially Crafted Environment Variables, cited in the above-referenced announcements. That article details how the exploit works and provides Red Hat’s analysis of common use cases (for example how a web server might be compromised). I consider it to be essential reading for all system administrators. Beyond updating bash, Red Hat recommends taking additional measures such as deploying mod_security for Apache web servers (configuring mod_security beyond the defaults is not a trivial task, but there’s lots of good doc on the module’s web site).

Some good follow-up today from Jen Ellis of Security Street here, and another from John Leydon of the Register here.

This entry was posted in Security on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).