If you have any Linux or Mac machines, you’ll want to update Bash due to a vulnerability announced by RedHat called ShellShock. This vulnerability allows an attacker to inject their own code into Bash using environment variable assignment.

You can check if your machine is vulnerable by running the following at a Bash prompt:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see vulnerable in the output, update Bash right away. However, if your output looks something like this Bash has been patched:

bash: warning: VAR: ignoring function definition attempt
bash: error importing function definition for `VAR'
Bash Test

 

Update Bash

Ubuntu and Debian users can update Bash using apt-get:

sudo apt-get update && sudo apt-get install --only-upgrade bash

 

Background from RedHat’s post:

Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, Bash has evolved from a simple terminal based command interpreter to many other fancy uses.

In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the Bash shell. It is common for a lot of programs to run Bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)

Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. As a result, this vulnerability is exposed in many contexts.

 

%d bloggers like this: