How to test for and fix the Shellshock vulnerability
On 09/24/2014 a serious vulnerability was discovered inside of GNU bash. More details can be found here http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
Follow the steps below to see if your system is vulnerable.
How to test if you are vulnerable
Log in through SSH and run the following command: env x='() { :;}; echo vulnerable' bash -c “echo this is a test”
If you see this, you are vulnerable:
root@localhost [~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"” vulnerable this is a testIf you see this, you are safe:
root@localhost [~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
How to fix if you are vulnerable
You need to be running bash-4.1.2-15 with current RHEL versions.
RHEL (6 or higher):
#yum clean all && yum update bash
RHEL (older versions):
# rpm -Uvh bash-3.2-33.el5.1.i386.rpm
CentOS:
#yum clean all && yum update bash
Ubuntu:
$update-manager-or-
$sudo apt-get update