Shellshock: Better 'bash' patches now available

The patches are ready. Now it's up to you to put them into place as quickly as possible.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The first patches for Shellshock didn't offer complete protection. The latest revisions of this patch for the popular Mac OS X, Linux, and Unix bash shell security problem were released on Friday, offering greater defenses against hackers.

The problem with the first patch, as Red Hat explained in its Shellshock FAQ, was that it only took care of the original bash flaw CVE-2014-6271. This, the true Shellshock bug, is the worst bash security hole. There were also others. 

Red Hat said: "Shortly after that issue went public a researcher found a similar flaw that wasn’t blocked by the first fix and this was assigned CVE-2014-7169." This bug is also a security problem, but it's not as bad as the other flaw.

Later, Red Hat Product Security researcher Florian Weimer found additional problems and these were designated CVE-2014-7186 and CVE-2014-7187. Fortunately, these bugs are less serious and the latest patch takes care of these as well. As Red Hat's Huzaifa Sidhpurwala told me: "The latest version of bash fixes all the CVE issues."

So, what you want to do now, if you haven't already, is check to see if you're running a vulnerable version of bash.

Run the following command, created by Red Hat, from your bash shell:

env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

If you see the results below, or a variation of this in your output:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'

...then you're open to Shellshock attacks. If you see:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
bash: error importing function definition for `BASH_FUNC_x()'

...you have a version of bash that has the basic Shellshock patch, but it can still be attacked. What you want to see is:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x'

...and then you'll know you have a version that's Shellshock resistant.

Next, to see if your bash has been patched for the the "7169" trouble, run:

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

If you see:

bash: x: line 1: syntax error near unexpected token `='
bash: x: line 1: `'
bash: error importing function definition for `x'
Fri Sep 26 11:49:58 GMT 2014

...with the last line being the current date and time, then you're still vulnerable to a "7169" attack.

The result you want to see is:

cat: /tmp/echo: No such file or directory

If you see the above, you're good to go. But, if you see the error message with the date and time, immediately check to see if there's a new patch available for your version of bash.

That shouldn't be a headache for most system administrators since patches are now available for all the major Linux distributions and Solaris Unix. Bash is neither the default shell nor is it even automatically installed in IBM AIX, FreeBSD, OpenBSD, or NetBSD.

For Mac server administrators, it's a different story.

Apple claims that most Mac users are safe from bash attacks. In a statement to sister-site CNET, Apple said OS X systems are safe by default because users "are not exposed to remote exploits of bash unless users configure advanced UNIX services."

The technology giant added: "We are working to quickly provide a software update for our advanced UNIX users."

If you're just running a Mac laptop or desktop, you shouldn't have any worries. What Apple doesn't say, but is nonetheless true, is that if you're running a Mac server to provide network services such as a Web or Dynamic Host Configuration Protocol (DHCP) server, you're wide open to being attacked. 

While there have been some reports that are still security problems in bash, it appears that the most up-to-date bash patches have fixed all known security holes at this time.

If you can patch your bash, do it, do it now. Hackers are already looking for unprotected servers. When they find one, they are automatically attacking Web servers, DHCP servers, and other services that call on bash.

Worse still, Rapid7's Metasploit penetration tool, which has often been used by hackers to attack sites, now has a Shellshock module. With this and similar script-kiddie tools available, expect the number of attacks to increase dramatically because now almost no technical skill is now needed to launch an assault.

Related stories:

Editorial standards