Bash Bug or “Shellshock” is a vulnerability found in the GNU Bourne Again Shell (Bash). Bash is a command line interpreter used by many distributions of Linux, UNIX, and MAC OS X as well as many different “appliances” such as routers, IP Cameras, etc… Let’s get right down to business and figure out how we can check our version of bash to see if it vulnerable.
Open a shell and run the following command:
env x='() { :;}; echo Your Bash Version is Vulnerable' bash -c "echo Testing..."
If the command returns the following you are vulnerable and should patch your system as soon as possible.
Your Bash Version is Vulnerable
Testing...
If the command returns something similar to below, then you are already patched against this vulnerability.
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
Testing...
To test against the file creation issue, (CVE-2014-7169) which is the second part of this vulnerability, you can run the following command:
cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>' bash -c "echo date"; cat /tmp/echo
If your system is vulnerable, the time and date will be displayed and a file named “echo” will be created in the /tmp directory.
Your will see the following output if your system is NOT vulnerable:
date
cat: /tmp/echo: No such file or directory
If you are running Red Hat, CentOS, or Fedora you can easily patch your system with the following command (All patches have been released as of 9-26-2014).
yum update bash
An unpatched version of bash on a workstation or a computer behind a firewall is fairly safe. This problem is a lot worse for people running servers available on the internet. Second, see if the distribution you are using has issued a patch. Most Linux vendors already have a patch available including Red Hat, CentOS, Ubuntu, Debian and Fedora. Apple is yet to issue a patch, but it should be available within a few days. If there is a patch available, you should install it and run the above test again.
For more in depth information about the “Bash Bug” / “Shellshock” vulnerability please see the following links.
Red Hat Blog post outlining both issues