How to patch bash for shell shock

[Chris]

The Bash vulnerability, now dubbed by some as "Shellshock," has been reportedly found in use by an active exploit against Web servers.

Because of its wide distribution, the vulnerability could be as wide-ranging as the Heartbleed bug, though it may not be nearly as dangerous. The vulnerability affects versions 1.14 through 4.3 of GNU Bash.

Patch your system

For CentOS, Fedora, Red Hat (and the like) users, just type this to update it (yes, theres already a patch, and youll be patched up in about 10 seconds)

Code: Select all

yum -y update bash

For Debian, Ubuntu (and the like) users, type this to update bash:

Code: Select all

sudo apt-get update && sudo apt-get install --only-upgrade bash

(This will update the list of packages, then install the latest bash)

Test your system
To test your system, log into your bash shell and type:

Code: Select all

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

(from shellshocker.net)

If you see vulnerable afterwards, you havent patched it.
If you see this is a test, youre patched.

[Chris]

The first patch was incomplete. It didn't protect you from variations.

Do this test to be sure.

Code: Select all

env X='() { (a)=>\' sh -c "echo date"; cat echo 

if you see a date like:

Code: Select all

Thu 25 Sep 2014 08:50:18 BST

you vulnerable.

A good response looks lie:

Code: Select all

date
cat: echo: No such file or directory

[Chris]

For those who still have no update for there system against shell shock,
upgrade to bash 4.3

Code: Select all

mkdir src
cd src
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
tar zxvf bash-4.3.tar.gz 
#download all patches
for i in $(seq -f "%03g" 0 25); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
#build and install
./configure && make && make install
cd ../..
rm -r src

[Chris]

Apparently even a patched system can still be exploited,
as environment variables are imported in bash by default.

read more here:
http://seclists.org/oss-sec/2014/q3/771

When we here of a update or solution we'll post it here.

[Chris]

I don't know yet about a real patch,
but in the mean time you can disable possible attack vectors (CVE-2014-6271).
mod_cgi and mod_cgid modules in the Apache HTTP Server.
scripts executed by unspecified DHCP clients.

Most servers have a fixed ip-address, so you can safely disable the dhcp-client service.

You can disable mod_cgi and mod_cgid modules in the Apache HTTP Server.
If you are not using CGI-scipts.
By remove or comment out (put # in front) of LoadModule cgi_module modules/mod_cgi.so
in httpd.conf.

or for apache2 in the files

Code: Select all

nano /etc/apache2/mods-available/cgi.load 
nano /etc/apache2/mods-available/cgid.load

Don't forget to restart the apache server:

Code: Select all

/etc/init.d/apache2 restart

[Chris]

The latest set of patches should solve the vulnerability for bash.

You can test it by:

Code: Select all

foo='() { echo not patched; }' bash -c foo

Check you distro for updates.
Or manually recompile bash, with all patches.
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/