How to check and fix Bash vulnerability in *NIX
Introduction
The blog http://www.silensec.com/blog/entry/vuln/command-execution-vulnerability-in-bash provides an introduction to the "Command Execution Vulnerability in Bash" and also how to test and fix it on a cgi-bin enabled web server using ModSecurity. Here we are going to show how to check if your installed "bash" version is affected by this vulnerability and how to upgrade it.
FreeBSD 10 - Bash
The default installation of FreeBSD 10 comes with bash version "4.3.24" and it is vulnerable. To test further you need to execute the following command in a FreeBSD bash shell:
$ env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
If the output shows the following two lines then we can confirm that the installed shell version is vulnerable:
Bash is vulnerable!
Bash Test
It is also possible to use the "pkg audit" command to check if the installed "bash" package is vulnerable:
# pkg audit
and if you see the following output then you need to update your installed bash:
bash-4.3.24 is vulnerable:
bash -- remote code execution vulnerability
CVE: CVE-2014-7169
CVE: CVE-2014-6271
WWW: http://portaudit.FreeBSD.org/71ad81da-4414-11e4-a33e-3c970e169bc2.html
In order to update bash in FreeBSD the following command can be executed:
pkg upgrade bash
If the upgrade goes well then you will get the following message:
Installed packages to be UPGRADED:
bash: 4.3.24 -> 4.3.25_1
To make sure that the upgraded bash fixed the vulnerability re-run the env command and the output should not contain the following line:
Bash is vulnerable!
RedHat/CentOS/Fedora/Debian/Ubuntu - BASH
In RedHat/CentOS/Fedora the bash versions prior to 4.2 are vulnerable and they must be updated with the following command:
# yum update bash
To check if the vulnerability got fixed you can execute the "env" command shown above and the output should not contain the "Bash is vulnerable!" line.
In order to update bash in Debian/Ubuntu execute the following commands:
# apt-get update
# apt-get upgrade