](/img/shellshock.png){kind=link}
Hopefully you will have seen the recent press around a discovered security vulnerability that affects the Linux operating system or more specifically the BASH shell and systems that make use of that shell. Maybe you saw the pretty cool logo around recently. (Other logos have been floating around too but this is my fave.)
BASH
BASH (Bourne Again SHell) is a command processor. It is where you type commands you want to run and the shell takes what you type and interprets it and gives you back an output or does something.
The vulnerability is a BASH vulnerability to do with environment variables and remote execution.
When you use BASH you can setup an environment the way that you like using variables. The “system” will also set a lot of the variables. They can be used for other things too and the exploit works by allowing you to run commands remotely through the use of these variables.
More information about BASH can be found at the official website and a good overview is available at Wikipedia.
If you are running a web service and somebody manages to use the exploit they can pretty much do what they want on your system. So the press on this exploit was pretty accurate when they described this as BIG.
](/img/bigger_than_heartbleed.png){kind=link}
The US National Vulnerability Database rated the bug a 10 out of 10 for severity, impact, and exploitability and low for access complexity. It’s easy to exploit and if you get exploited it’s going to hurt!
The Vulnerability
Details of the vulnerability can be found in the Redhat CVE database: CVE-2014-6271
This was fixed with a patch but not completely which led to CVE 7169.
Testing if you’re affected
You can test to see if you are affected by running the following command in a BASH shell prompt.
env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
If you see the word vulnerable in the output then you are at risk of the exploit. Even if you think you have fixed it, the first patch that came out did not completely fix the issue.
Fixing the vulnerability in CentOS or Redhat systems
The vulnerability has been patched and the patched version of BASH has been added to the repositories for CentOS and Redhat.
To fix the vulnerability you need to update BASH:
yum update bash
If you are using a Redhat system it will need to be registered to get the update.
Fix Versions
When you update BASH you need to make sure you get the following package version for your OS:
| OS | Version | Fixed in Version |
|---|---|---|
| Centos | 5 | bash-3.2-33.el5_10.4 |
| 6 | bash-4.1.2-15.el6_5.2 | |
| 7 | bash-4.2.45-5.el7_0.4 | |
| Redhat | 5 | bash-3.2-33.el5_11.4 |
| 6 | bash-4.1.2-15.el6_5.2 | |
| 7 | bash-4.2.45-5.el7_0.4 |
Once you are patched it is worth testing again with the command we tried before. If that looks ok double check to make sure you are not vulnerable to CVE-2014-7169:
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo
If your output looks like the below you should now be patched. Otherwise check through your system to make sure you are up-to-date.
dateĀ
cat: /tmp/echo: No such file or directory
The Shell Shock hullabaloo
There were some things that happened around Shell Shock that made me think further about a lot. Such as the calls for a logo (when there wasn’t one), the publicity hype and how to test an individual package. I thought I would touch on some of those below.
Shell Shock apparently has been around (and known) for many years but didn’t get fixed until the past few days. Now I haven’t researched the history of Shell Shock fully yet so I cannot comment on the age of the vulnerability but I definitely started thinking a lot about how the publicity and dare I say it ‘glamorisation’ of the risk may have been a driver in getting this fixed.
Linux has been around for a long time and the systems and packages it uses have been around a lot longer in some cases. It’s easy to forget that when you are using it to do lots of modern things. Sometimes these things can be lived with or forgotten until they are scrutinised more closely. A little like SSL and Heartbleed this part of web serving was widely used but people probably never paid it much attention until it broke.
If Shell Shock has done anything for me it has increased my desire to know more about Linux and the packages it uses. And - if I can - to help. I really should know more about BASH since I use it everyday and it is now the environment I am most comfortable working in.
And one thing to always remember in the Open Source world - we are standing on the shoulders of giants.
EDIT - not long after publishing this in an effort to learn more about BASH I stumbled across this which kind of echoes some of the thoughts I was having.
Was my employer “shellshocked”?
Like most Redhat users, yes, we were. Thanks to recent work I’ve done to standardise the platform and some choices made in migrating to our new Data Centre patching our systems was quick and pain free. All of our clients are patched and protected. Hopefully I can start to talk about some of the work we have been doing recently to help others in the same situation.
Until then!