Upgrading Bash for the Shellshock Vulnerability

Updated by Dave Russell

Contribute on GitHub

View Project | View File | Edit File

Shellshock, or Bashdoor, is a vulnerability that was discovered on September 12th, 2014 and embargoed until September 24th when it was assigned the CVE identifier CVE-2014-6271. The vulnerability pertains to Bash, which is a widely used Unix shell. This vulnerability affects all Linux distributions and allows remote execution of commands using environment variables.

In addition to CVE-2014-6271, many other related vulnerabilities were discovered in the following days after the Shellshock patch. This guide will tell you how to safely upgrade your Linux distributions and secure your Linode against the Bash vulnerability.

Checking the Vulnerability

You must first see if you are vulnerable. As there are several vulnerabilities, you will want to check your vulnerability status for each of them.

CVE-2014-6271

To check if your Linode is vulnerable, run the following in Bash:

1
env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

If your Linode is vulnerable, you will see:

1
2
vulnerable
this is a test

If your Linode is not vulnerable, you will see:

1
2
3
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

In some distributions, such as Ubuntu 12.04, you may not see the bash warning errors. As long as you do not see vulnerable in your output, you are running an upgraded version for CVE-2014-6271.

CVE-2014-7169

While working on CVE-2014-6271, a new bug was discovered and given the CVE identifier CVE-2014-7169.

To check for the vulnerability, run the following in Bash:

1
env X='() { (a)=>\' sh -c "echo date"; cat echo

If your Linode is vulnerable, you will see:

1
2
3
4
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function for `X'
Sun Sep 08:17:32 EST 2014

If your Linode is not vulernable, you will see:

1
2
date
cat: echo: No such file or directory

CVE-2014-7186

In addition to the other two, another bug was found related to the same code issues previously identified in Bash. The new bug was given the CVE identifier CVE-2014-7186.

The vulnerability allowed out-of-bounds memory access by using a fixed-sized redir_stack, which resulted in the ability to execute code that would not otherwise be run.

To test the vulnerability, run the following in Bash:

1
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"

If your Linode is not vulnerable, you will see:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')

CVE-2014-7187 and CVE-2014-6277

Both of these CVEs are a result of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. Fortunately, most distributions have patched both of these CVEs, completing the Shellshock vulnerability patching.

If you are still using Debian Squeeze, you will need to follow their instructions for using Debian Squeeze LTS and change your sources.list file accordingly to get the upgrades if you have not already.

Installing the Upgrade

Below is the relevant information for upgrading Bash and ensuring that your Linode is no longer vulnerable to the bug. Each section is designed for individual distributions. The sections are written with the assumption that you have root access or sudo privileges. If you do not, you will not be able to run these commands.

Ubuntu and Debian

To upgrade Bash on Ubuntu and Debian, run these commands to update and upgrade the Bash package. If you are not running as the root user, prepend sudo to each command:

1
2
apt-get update
apt-get install --only-upgrade bash

Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.

CentOS

To upgrade Bash on CentOS, run this command to update and upgrade the Bash package. If you are not running as the root user, prepend sudo to each command:

1
yum update bash

Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.

Fedora

To upgrade Bash on Fedora, run this command to update and upgrade the Bash package. If you are not running as the root user, prepend sudo to each command:

1
yum -y install bash

Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.

Arch Linux

To upgrade Bash on Arch Linux, run this command to update and upgrade the Bash package. If you are not running as the root user, prepend sudo to each command:

1
pacman -Syu

Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.

Gentoo

Gentoo has specific patching instructions as per the currently Bash version you are using. To find your version, run:

1
bash --version

Bash 3.1

To patch the vulnerability in Bash 3.1 on Gentoo, run:

1
2
emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p18-r1"

Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been patched.

Bash 3.2

To patch the vulnerability in Bash 3.2 on Gentoo, run:

1
2
emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p52-r1"

Re-run the commands in the “Checking the Vulnerabilty” section of this documentation to ensure it has been patched.

Bash 4.0

To patch the vulnerability in Bash 4.0 on Gentoo, run:

1
2
emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p39-r1"

Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been patched.

Bash 4.1

To patch the vulnerability in Bash 4.1 on Gentoo, run:

1
2
emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p12-r1"

Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been patched.

Bash 4.2

To patch the vulnerability in Bash 4.2 on Gentoo, run:

1
2
emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p48-r1"

Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been patched.

OpenSUSE

To upgrade Bash against the vulnerability on OpenSUSE, run:

1
zypper patch --cve=CVE-2014-7187

Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.

Slackware

To upgrade against the vulnerability on Slackware, you must upgrade the Bash package using slackpkg:

1
2
slackpkg update
slackpkg upgrade bash

Once you have done so, re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.

This guide is published under a CC BY-ND 4.0 license.