Shellshock Bash Vulnerability: Information and Fix

Unix/Linux/Mac OSX Bash Vulnerability ("Shellshock")

Last updated 10/09/2014 12:00 PM

General Information and Background:

Very brief introduction to Bash

Bash is a Unix shell that runs on a huge number of computers worldwide, and is the default for most of the popular Linux releases. As you've no doubt heard, a major security vulnerability was discovered in this shell on September 24th 2014. The initial vulnerability was discovered and quickly patched on 9/24. However, it was then discovered that the initial patch was incomplete and an additional patch was released on 9/26 that (theoretically) is a complete fix for the issue.

Since the majority of UCD Physics Faculty, Grad Students, Postdocs, etc, use some form of Linux or Mac OSX, it is critical that you ensure your system is secure. The majority of Physics Staff use Windows, so this issue applies much less to those computers, except for very specific cases (continue reading...)

NOTE: The Physics IT Team is actively patching all major Physics servers and systems. As of 9/29/2014, all critical Physics servers have been patched, and the majority of total systems has been patched. We are actively scanning for any remaining unpatched systems (there are a lot of systems in Physics...). Please contact Physics IT at help@physics.ucdavis.edu if you need help patching your system(s), if you're a Faculty member, Postdoc, Grad Student, or are in any way affiliated with Physics. This especially applies to Faculty members who have purchased their systems that Physics IT may not be fully apprised of. In any case, if you're not sure, or want us to test your system's security, email us at help@physics.ucdavis.edu, call us at (530)752-4923, or come to the IT Office in room 536 during business hours.

What to Do

If you're using Windows, the only way your computer could be vulnerable is if you have installed cygwin or a similar port of unix tools. This could include bash, which would most likely be unpatched. (see section below, Cygwin on Windows). If you use any other operating system, included Apple's Mac OS X, see below for details.

Check if Your System is Vulnerable

Updated Test (9/26)

To test for for the additional flaws left unfixed by the 9/24 patch, type the following command in a terminal:

env X='() { (a)=>\' sh -c "echo date"; cat echo

You are vulnerable if your output resembles something like this (the most important part being the current time and date printed at the end, and a file called "echo" being created in whatever directory you were in):

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
Fri Sep 26 11:49:58 GMT 2014

You are not vulnerable if your output resembles:

date
cat: echo: No such file or directory

The most important part to note is that it printed "date", instead of running the command called "date" which outputs the current time and date. NOTE: If you've run the test multiple times, you may still have a file called "echo" that contains a past date/time. This can be confusing, since it may seem that you system is vulnerable even if it's been patched. So make sure there is no file called "echo" in whatever directory you're running the test in. Just to be sure you can run this command to test for the vulnerability (assuming you don't have a legitimate file name echo that you want to keep for some reason.

rm echo
env X='() { (a)=>\' sh -c "echo date"; cat echo

Original Test (9/24)

To test for the original (9/24) flaw, type the following command in a terminal:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If your output is:

vulnerable
this is a test

then you are vulnerable and should upgrade your version of bash to a patched version.
A patched version's output will look like this:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Fixes:

Ubuntu and variants (Kubuntu, Xubuntu, Mint)

Current and LTS Versions (10.04, 12.04, 14.04, etc):: run the following command to update bash:

apt-get --only-upgrade install bash

and then re-verify using the above test scripts. IF it's still vulnerable, try

apt-get install --reinstall bash

Other versions (12.10, 13.04, 9.x or lower):

These are no longer supported and an official patch has not been released. However, there are ways of compiling bash from source or using compatible binaries to secure the system. As a short term solution (for semi-advanced users), you could replace your bash binary with a symbolic link to another shell (for example, tcsh). This will ensure any user or program attempting to open bash will instead open tcsh. (This will "secure" the system in that bash will not be able to be exploited, but it may break users scripts and other things, not to mention the differences in syntax between bash and tcsh).Make sure to back up/make a copy of your original bash binary before you attempt this, just in case something goes wrong and you need to revert to bash temporarily.

Mac OSX:

UDPATE 9/29: Apple has just released a bash patch for all of their current operating systems. Visit the Apple Downloads page and download the patch for your operating system. (It should soon show up as an automatic software update for your system as well.)

Red Hat Enterprise Linux

(versions 4-7): see the Red Hat page on the vulnerability and note the updates regarding the 9/26 additional patches.

Fedora

The patch ~~is being added~~ has been added to the Fedora repositories so you should first try to run the following commands and then verify if the flaw has been resolved using the test script above.

sudo yum clean all
sudo yum update bash

Update: The updated fix has been added to the official Fedora repositories. It is now recommended the before doing anything else (even if you've already applied the initial patch) run the command:

sudo yum reinstall bash

Here are the individual links to the .rpms for the patched versions of bash:
Fedora 18 (or lower): These are considered "End of Life" and therefore are not officially supported. It is recommended that you update to a newer version of Fedora. Check back here for other fixes.
Fedora 19*: http://koji.fedoraproject.org/koji/buildinfo?buildID=581028
Fedora 20*: http://koji.fedoraproject.org/koji/buildinfo?buildID=581023
Fedora 21*: http://koji.fedoraproject.org/koji/buildinfo?buildID=581038
*updated since original 9/24 release to include additional discovered vulnerabilities.
For more info specific to Fedora visit this page.

CentOS

Please see: https://www.centosblog.com/criticical-bash-vulnerability-discovered-update-bash-centos-linux-server-now/

Scientific Linux

See https://www.scientificlinux.org/sl-errata/slsa-20141293-1/
UPDATE:9/26 patch that fixes the vulnerabilities left unpatched by the 9/24 patch. See https://www.scientificlinux.org/sl-errata/slsa-20141306-1/

Other *nix distros and Cygwin on Windows

This vulnerability also exists on these systems. There are now many tutorials available online on how to patch other versions of Linux/Unix as well as cygwin on Windows. Please be sure to update your system.