Security Advisory: Critical Bash Shell Vulnerability
Posted by Kevin Stange on 25 September 2014 02:21 PM |
|
Update 9/26 at 10:40 AM CDT: A newer version of Bash has been released that fixes additional security problems. This announcement has been updated with the new version numbers to look for and updated references. Please review the information below for further details. A vulnerability has recently been disclosed in Bash (the GNU Bourne Again shell) which affects all systems running Linux. This vulnerability allows programs that allow users to provide values for variables to execute arbitrary commands with the privileges of the service. This issue does not permit direct privilege escalation. It has been assigned the ID CVE-2014-6271 in the Common Vunerabilities and Exposures database. It has been given the nickname "Shellshock." CentOS and Debian patched this vulnerability partially on September 24, 2014 and issued further fixes on September 25, 2014 under new ID CVE-2014-7169. To apply the fixes, you need only update the version of your installed Bash program. If you have created any services that run entirely as a Bash shell script, you should restart those services after updating. Bash-based services are not common. Windows and FreeBSD servers do not use Bash by default and are not generally affected. If you have installed Bash on your server manually, you should make sure it is up to date using the process by which you originally installed it. Please review the sections below to determine how to update Bash on your server. CentOS To check which version of Bash is installed, run the following command: rpm -q bash The version number should be greater than or equal than one of the following:
The important portion of the version number is the part beginning with ".elX_" where X is 5, 6, or 7. If you read the part after the "_" as a decimal number, it must be greater than or equal to the version listed. For example, for ".el6_" the number should be "5.2" or any higher number. If your version does not match, please run the following command and ensure an update to the bash package is included: yum -y update bash If no update is available, please try the following commands, then repeat the command above: yum clean metadata Red Hat published the following advisories regarding this vulnerability:
Debian 7 To check which version of Bash is installed, run the following command: dpkg -s bash | grep Version The version number should be greater than or equal to 4.2+dfsg-0.1+deb7u3. The notable part to look for is the "+deb7u3" at the end. If the last number is not 3 or higher, or the part after "+" is missing, you will need to upgrade. If your version does not match, please run the following command and ensure an update to the bash package is included: apt-get update Debian published the following advisories regarding this vulnerability:
If you have any questions or need assistance performing these upgrades, please contact us and we'll be happy to help. | |