CVE-2014-6271: Bash vulnerability that allows remote code execution

UPDATE 2: Updated bash packages that address CVE-2014-7169 are now available. With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure. Additionally two out-of-bounds array accesses in the bash parser are fixed. Please check the following links:

CentOS: https://access.redhat.com/node/1200223
Ubuntu: http://www.ubuntu.com/usn/usn-2363-2/
Debian: https://www.debian.org/security/2014/dsa-3035

UPDATE from Redhat: Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. The patches are being worked upon conjunction by upstream developers as a critical priority. We will keep you updated regarding this. You can keep track on https://security-tracker.debian.org/tracker/CVE-2014-7169

A vulnerability named CVE-2014-6271 was made public yesterday which was discovered last week. This vulnerability in bash lets an attacker to execute arbitrary code if he is allowed to pass commands to bash. As bash is a common shell for evaluating and executing commands from other programs, this vulnerability may affect many applications that evaluate user input, and call other applications via a shell.

Bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts.

Following are the mitigating steps you can take:

  • Upgrade to a new version of bash.
  • Replace bash with an alternate shell.
  • Limit access to vulnerable services.
  • Filter inputs to vulnerable services.

How to check if there is a vulnerable bash package on your server?

# env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

A vulnerable binary will show:
vulnerable
this is a test

After upgrading the package, you should see:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test

How to update bash packages?

Please follow the distros specific links below to upgrade your bash to versions mentioned ASAP:

  • CentOS
    # yum upgrade bash
  • Debian
    # apt-get update && apt-get install –only-upgrade bash
  • Ubuntu
    # apt-get update && apt-get install –only-upgrade bash

For managed customers we are in process of updating the bash package. Please write to support@e2enetworks.com for any queries you may have.