Upgrading Bash for the Shellshock Vulnerability
Updated by Dave Russell Written by Dave Russell
Shellshock, or Bashdoor, is a vulnerability that was discovered on September 12th, 2014 and embargoed until September 24th when it was assigned the CVE identifier CVE-2014-6271. The vulnerability pertains to Bash, which is a widely used Unix shell. This vulnerability affects all Linux distributions and allows remote execution of commands using environment variables.
In addition to CVE-2014-6271, many other related vulnerabilities were discovered in the following days after the Shellshock patch. This guide will tell you how to safely upgrade your Linux distributions and secure your Linode against the Bash vulnerability.
Checking the Vulnerability
You must first see if you are vulnerable. As there are several vulnerabilities, you will want to check your vulnerability status for each of them.
CVE-2014-6271
To check if your Linode is vulnerable, run the following in Bash:
env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
If your Linode is vulnerable, you will see:
vulnerable
this is a test
If your Linode is not vulnerable, you will see:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
In some distributions, such as Ubuntu 12.04, you may not see the bash warning errors. As long as you do not see vulnerable in your output, you are running an upgraded version for CVE-2014-6271.
CVE-2014-7169
While working on CVE-2014-6271, a new bug was discovered and given the CVE identifier CVE-2014-7169.
To check for the vulnerability, run the following in Bash:
env X='() { (a)=>\' sh -c "echo date"; cat echo
If your Linode is vulnerable, you will see:
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function for `X'
Sun Sep 08:17:32 EST 2014
If your Linode is not vulnerable, you will see:
date
cat: echo: No such file or directory
CVE-2014-7186
In addition to the other two, another bug was found related to the same code issues previously identified in Bash. The new bug was given the CVE identifier CVE-2014-7186.
The vulnerability allowed out-of-bounds memory access by using a fixed-sized redir_stack, which resulted in the ability to execute code that would not otherwise be run.
To test the vulnerability, run the following in Bash:
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
If your Linode is not vulnerable, you will see:
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
CVE-2014-7187 and CVE-2014-6277
Both of these CVEs are a result of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. Fortunately, most distributions have patched both of these CVEs, completing the Shellshock vulnerability patching.
If you are still using Debian Squeeze, you will need to follow their instructions for using Debian Squeeze LTS and change your sources.list file accordingly to get the upgrades if you have not already.
Installing the Upgrade
Below is the relevant information for upgrading Bash and ensuring that your Linode is no longer vulnerable to the bug. Each section is designed for individual distributions. The sections are written with the assumption that you have root access or sudo privileges. If you do not, you will not be able to run these commands.
Ubuntu and Debian
To upgrade Bash on Ubuntu and Debian, run these commands to update and upgrade the Bash package. If you are not running as the root user, prepend sudo to each command:
apt-get update
apt-get install --only-upgrade bash
Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.
CentOS
To upgrade Bash on CentOS, run this command to update and upgrade the Bash package. If you are not running as the root user, prepend sudo to each command:
yum update bash
Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.
Fedora
To upgrade Bash on Fedora, run this command to update and upgrade the Bash package. If you are not running as the root user, prepend sudo to each command:
yum -y install bash
Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.
Arch Linux
To upgrade Bash on Arch Linux, run this command to update and upgrade the Bash package. If you are not running as the root user, prepend sudo to each command:
pacman -Syu
Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.
Gentoo
Gentoo has specific patching instructions as per the currently Bash version you are using. To find your version, run:
bash --version
Bash 3.1
To patch the vulnerability in Bash 3.1 on Gentoo, run:
emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p18-r1"
Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been patched.
Bash 3.2
To patch the vulnerability in Bash 3.2 on Gentoo, run:
emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p52-r1"
Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been patched.
Bash 4.0
To patch the vulnerability in Bash 4.0 on Gentoo, run:
emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p39-r1"
Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been patched.
Bash 4.1
To patch the vulnerability in Bash 4.1 on Gentoo, run:
emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p12-r1"
Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been patched.
Bash 4.2
To patch the vulnerability in Bash 4.2 on Gentoo, run:
emerge --sync
emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p48-r1"
Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been patched.
OpenSUSE
To upgrade Bash against the vulnerability on OpenSUSE, run:
zypper patch --cve=CVE-2014-7187
Re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.
Slackware
To upgrade against the vulnerability on Slackware, you must upgrade the Bash package using slackpkg:
slackpkg update
slackpkg upgrade bash
Once you have done so, re-run the commands in the “Checking the Vulnerability” section of this documentation to ensure it has been upgraded.
Join our Community
Find answers, ask questions, and help others.
This guide is published under a CC BY-ND 4.0 license.