Criticical BASH vulnerability discovered – update BASH on your CentOS Linux server now!

Update #3 – Unsurprisingly with all the attention that BASH is now receiving, additional vulnerabilities (CVE-2014-7186 and CVE-2014-7187) have been discovered. They are currently unresolved. For a more detailed write-up, see: http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx – when there are updates available to resolve these issues, I will update this post.

 

Update #2 – A new BASH package has been released which properly resolves this vulnerability (bash-4.1.2-15.el6_5.2) – this post will be updated to reflect this new information.

 

Update #1 – according the bug report this vulnerability is still not fully patched (see Comment 23). However, I still recommend updating BASH as directed in this post. When a full bug fix is deployed I will update this post.

 


 

A critical security vulnerability has been discovered in BASH which allows for remote execution. This vulnerability is resolved in update bash-4.1.2-15.el6_5.2 (thanks to the RedHat/CentOS team for getting the updates out so quickly).

For more information, see: http://seclists.org/oss-sec/2014/q3/649and https://rhn.redhat.com/errata/RHSA-2014-1293.html

An excellent explanation of this bug can be found here.

To test if your version of BASH is vulnerable, run the following command (thanks to this Reddit post):

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it prints out ‘vulnerable’ – then you are vulnerable.

A tool has been created to remotely test if you’re vulnerable – you can access the BASH ShellShock Test here (thanks Brandon Potter).

 

To patch is issue, update to the latest version of BASH:

yum clean all && yum update bash

To check which version of BASH is installed, run the following command:

rpm -qa | grep bash

If your version of BASH is earlier than bash-4.1.2-15.el6_5.2 you may be vulnerable.

 

Scan to Donate Bitcoin
Like this? Donate Bitcoin to at:
Bitcoin 13KzxfEoFPzt5ccoQvSkUEytTgQV8JN5ej
Donate
Share This Post

About Author: Curtis K

Hi! My name is Curtis, and I am the creator of CentOS Blog. Please feel free to comment any suggestions, feedback or questions on my posts!

  • Brad

    Good synopsis, thanks!

  • Pingback: Security Patch | CMS Helpguides()

  • nenaB

    I ran your suggested test and got the following:

    bash: warning: x: ignoring function definition attempt

    bash: error importing function definition for `x’

    this is a test

  • Sergei

    Hi Curtis!

    Thanks for your post. On Centos 5.4 when executing “yum clean all && yum update bash” I get “No Packages marked for Update”

    # env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
    vulnerable
    this is a test

    #bash –version
    GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)
    Copyright (C) 2005 Free Software Foundation, Inc.

    In “/etc/yum.repos.d” I have the following repositories:

    # ls
    elrepo.repo ius-dev.repo mirrors-rpmforge rpmforge.repo
    epel.repo ius-release-1.0-13.ius.centos5.noarch.rpm remi.repo rpmforge-testing.repo
    epel-testing.repo ius.repo ius-archive.repo ius-testing.repo

    How do I modify my repositories to download the latest BASH update “bash-4.1.2-15.el6_5.2”?

    Sergei

  • Sergei

    How do I fix bash vulnerability on an older system like Centos 5.4? I get “Nothing to update” when running yum.

    • Joe

      Sergi,

      Go to http://mirror.centos.org/centos/

      For 32-bit:
      # bash-4.1.2-15.el6_5.2.i686.rpm
      # rpm -Uvh bash-doc-4.1.2-15.el6_5.2.i686.rpm

      Or

      For 64-bit
      # rpm -Uvh bash-4.1.2-15.el6_5.2.x86_64.rpm
      # rpm -Uvh bash-doc-4.1.2-15.el6_5.2.x86_64.rpm

      Then test the via the known vectors or simply type this:

      $ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

      • Sergei

        Hi Joe,

        Thanks for your post. Your rpm’s seem to be RH6/CentOS6-compatible. I found this link yesterday for Red Hat 5/CentOS 5 systems which worked for me:

        http://www.linuxito.com/gnu-linux/nivel-alto/438-instalar-paquetes-de-centos-en-un-servidor-red-hat

        If you scroll to the bottom it lists these steps:

        For Red Hat 5/CentOS 5:
        # wget http://centos.mirror.facebook.net/5/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm

        # yum –nogpgcheck localinstall bash-3.2-33.el5.1.x86_64.rpm

        # yum info bash

        Installed Packages
        Name : bash
        Arch : x86_64
        Version : 3.2
        Release : 33.el5.1
        Size : 5.0 M
        Repo : installed
        Summary : The GNU Bourne Again shell (bash) version 3.1.
        URL : http://www.gnu.org/software/bash
        License : GPLv2+
        Description: The GNU Bourne Again shell (Bash) is a shell or command language
        : interpreter that is compatible with the Bourne shell (sh). Bash
        : incorporates useful features from the Korn shell (ksh) and the C
        : shell (csh). Most sh scripts can be run by bash without
        : modification. This package (bash) contains bash version 3.1, which
        : improves POSIX compliance over previous versions.

        That did it:

        $ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
        bash: warning: x: ignoring function definition attempt
        bash: error importing function definition for `x’
        this is a test

        My only concern is that it did not update the generic BASH version number:

        # bash –version
        GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)
        Copyright (C) 2005 Free Software Foundation, Inc.

        But I think it is fine.

      • Sergei

        Hi Joe,

        Thanks for your post. Your rpm’s seem to be RH6/CentOS6-compatible. I
        found this link yesterday for Red Hat 5/CentOS 5 systems which worked for
        me:

        http://www.linuxito.com/gnu-linux/nivel-alto/438-instalar-paquetes-de-centos-en-un-servidor-red-hat

        If you scroll to the bottom it lists these steps:

        For Red Hat 5/CentOS 5:
        # wget
        http://centos.mirror.facebook.net/5/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm

        # yum –nogpgcheck localinstall bash-3.2-33.el5.1.x86_64.rpm

        # yum info bash

        Installed Packages
        Name : bash
        Arch : x86_64
        Version : 3.2
        Release : 33.el5.1
        Size : 5.0 M
        Repo : installed
        Summary : The GNU Bourne Again shell (bash) version 3.1.
        URL : http://www.gnu.org/software/bash
        License : GPLv2+
        Description: The GNU Bourne Again shell (Bash) is a shell or command language
        : interpreter that is compatible with the Bourne shell (sh). Bash
        : incorporates useful features from the Korn shell (ksh) and the C
        : shell (csh). Most sh scripts can be run by bash without
        : modification. This package (bash) contains bash version 3.1, which
        : improves POSIX compliance over previous versions.

        That did it:

        $ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
        bash: warning: x: ignoring function definition attempt
        bash: error importing function definition for `x’
        this is a test

        My only concern is that it did not update the generic BASH version number:

        # bash –version
        GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)
        Copyright (C) 2005 Free Software Foundation, Inc.

        But I think it is fine.

      • Chris Worthington

        Joe,

        What directory are you looking under? I have a 32 bit system and I went here: http://mirror.centos.org/centos/5.10/updates/i386/RPMS/, which only had v 3.25 which is already installed on my system.

  • Pingback: CentOSでbash脆弱性に対応するためのたった3つの手順 | PicksLife()

  • Roby

    Hi Curtis,
    RedHat announced two fix – first was announced on thursday, second was yesterday (saturday) – CVE-2014-6271 and CVE-2014-7169. The first was incomplete (An attacker can provide specially-crafted environment variables
    containing arbitrary commands that will be executed on vulnerable
    systems under certain conditions.), so they prepare new one. Is something similar with centos fix?
    BR

    • centosblog

      Hi Roby,

      Thanks for the heads up – I’ve added an update(3) to the post!

  • MMMMM

    on el6:
    #rpm -qa |grep bash
    #bash-4.1.2-15.el6_5.2.x86_64

    not fixed problem:

    #env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
    #this is a test

    on el5:
    #rpm -qa |grep bash
    #bash-3.2-33.el5_10.4

    the same:

    #env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
    #this is a test

    what’s going on?

  • john

    Thanks Curtis!

  • Pingback: Hit By Shellshock - Now What?()

  • Kalings Rajan

    Hi Curtis K

    My cent OS 6.6 server restart automatically everyday or twice a day.I have installed dns ,dhcp, squid and IPTABLES also. But there’s no log for unexpected restart in /var/log/messages .So please give me the idea for troubleshhot or how to stop the auto restart