30 сентября 2014 г.

How to quickly check and fix the Shellshock Bash vulnerability

First, see if this applies to you. Though since all of the bash versions for the last 25 years are vulnerable to this exploit, it most likely does.


To check if your machine has the Shellshock vulnerability, run the following:

env X='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output includes "busted", the machine is vulnerable to the Shellshock exploit.


Here's an example of how the output looks like on an infected Debian OpenVZ VPS:

At the top of the output you can see the current Bash version being 4.2.


Now, this is the time to update your bash version to the one that is more secure and has the exploit patched.


First, update the package list.

apt-get update

Refer to this in case you get the GPG errors.

Then see what's the latest Bash version you got. In my case it was 4.2+dfsg-0.1+deb7u3. Upgrade Bash to the latest version. Here's how you can specify which version of the package to install in case you have multiple available.

apt-get install bash=4.2+dfsg-0.1+deb7u3

This will install the recent version.


Here's how the patched VPS looks like now:

As you can see, initially the bash version was 4.2+dfsg-0.1, and after the upgrade it's 4.2+dfsg-0.1+deb7u3. Then there's another test which doesn't output the busted value anymore.


Source: http://habrahabr.ru/company/mailru/blog/238475/

UPD: More vulnerabilities to test against: http://en.wikipedia.org/wiki/Shellshock_(software_bug)#Reported_vulnerabilities. Bad news is that not all of those are fixed by the update, so now we wait.

Комментариев нет: