Friday, September 26, 2014

Critical bash security issue in all versions of Linux (CVE-2014-7169)

Two days ago we announced a critical vulnerability in the bash shell that is remotely exploitable (CVE-2014-6271) known as Shellshock.

The fix for CVE-2014-6271 was incomplete and command injection is possible even after the patch has been applied. The issue is being tracked as CVE-2014-7169 (Aftershock). Please log in to all of your Bitnami-based Linux VMs or cloud images and upgrade bash. If you are running an Ubuntu machine (and most likely you are) you can execute the following commands:

sudo apt-get update
sudo apt-get install bash

To test that you have successfully updated your installation, type:


env var='() {(a)=>\' bash -c "echo date"; cat echo; rm -f echo

If you get the following, you have successfully patched bash:

bash: var: line 1: syntax error near unexpected token `='
bash: var: line 1: `'
bash: error importing function definition for `var'
date
cat: echo: No such file or directory

If you get the following (with the current date at the end), you are still vulnerable:

bash: var: line 1: syntax error near unexpected token `='
bash: var: line 1: `'
bash: error importing function definition for `var'
Fri Sep 26 09:20:00 UTC 2014


If you have further questions, please refer to our community forums or contact the helpdesk if you are a commercial Bitnami customer.

More information and possible updates on our wiki.




2 comments:

  1. I ran the update commands, and I am not vulnerable to:
    env var='() {(a)=>\' bash -c "echo date"; cat echo; rm -f echo

    but I am still vulnerable to:
    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    Any ideas?

    -Colin

    ReplyDelete
  2. Hi, Could you post more details in our community forum? Which OS are you using and which is your bash version? https://community.bitnami.com/t/critical-security-issues-in-bash-cve-2014-6271-cve-2014-7169/26084

    Regards

    ReplyDelete

Please use our community forum if you have any questions community.bitnami.com