Shellshock BASH Vulnerability: Debian, CentOS, Synology Busybox

Ok, so Heartbleed did as it said, and Shellshock is about to do the same.

I manage some CentOS, some Redhat, some Debian, and other servers. From what I have found so far, and assuming that the patches applied to the latest release of BASH are sufficient, then most servers and devices can be patched / fixed so that they are not vulnerable quite easily.

According to most sources, the test for a vulnerable BASH environment is the following line of code:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

So I quickly hit one of each server / Linux flavour I could think of and these are the results:

SME Server / CentOS based

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

so I ran

# yum update

which updates a number of tools including bash-3.2-33.el5.1.i386.rpm which appears to be the correct update version and re-testing after updating the server (includes other updates as well) gives the ‘not vulnerable’ response.

CPanel on CentOS

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
#

which appears to tell me that it is not vulnerable.

I also had a similar message but without the warning from a second CPanel / CentOS server which is configured slightly differently:

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
#

The lack of a warning in the above appears to indicate that it is not vulnerable.

Debian

Some of my Debian servers have not been upgraded from stable Squeeze, which I should be updating to Wheezy. I found different responses depending on which version of Debian existed on the server.

To check the Debian version use:

# cat /etc/debian_version
# 6.0.6

Checking the Debian version just as a confirmation of what patch release the server is using.

Debian Squeeze 6.0.6

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
#

Vulnerable, so update BASH

# apt-get update
# apt-get install bash

A second test shows:

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
#

<h2>Debian Squeeze 6.0.10</h2>

This one is a work in progress......


<h2>Debian Squeeze 7.4</h2>

This version of Debian was straightforward and 


# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
#

Oops!

# apt-get update
# apt-get install bash

A second test shows:

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
#

<h2>Synology Busybox</h2>

Synology Busybox uses ASH not BASH but testing can still be done


# env x='() { :;}; echo vulnerable' ash -c "echo this is a test"

Gave an all clear message on my recently updated Synology unit.

Leave a Reply

Your email address will not be published. Required fields are marked *