Ok, so Heartbleed did as it said, and Shellshock is about to do the same.
I manage some CentOS, some Redhat, some Debian, and other servers. From what I have found so far, and assuming that the patches applied to the latest release of BASH are sufficient, then most servers and devices can be patched / fixed so that they are not vulnerable quite easily.
According to most sources, the test for a vulnerable BASH environment is the following line of code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
So I quickly hit one of each server / Linux flavour I could think of and these are the results:
SME Server / CentOS based
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test
so I ran
# yum update
which updates a number of tools including bash-3.2-33.el5.1.i386.rpm which appears to be the correct update version and re-testing after updating the server (includes other updates as well) gives the ‘not vulnerable’ response.
CPanel on CentOS
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test #
which appears to tell me that it is not vulnerable.
I also had a similar message but without the warning from a second CPanel / CentOS server which is configured slightly differently:
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test #
The lack of a warning in the above appears to indicate that it is not vulnerable.
Debian
Some of my Debian servers have not been upgraded from stable Squeeze, which I should be updating to Wheezy. I found different responses depending on which version of Debian existed on the server.
To check the Debian version use:
# cat /etc/debian_version # 6.0.6
Checking the Debian version just as a confirmation of what patch release the server is using.
Debian Squeeze 6.0.6
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test #
Vulnerable, so update BASH
# apt-get update # apt-get install bash
A second test shows:
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test # <h2>Debian Squeeze 6.0.10</h2> This one is a work in progress...... <h2>Debian Squeeze 7.4</h2> This version of Debian was straightforward and # env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test #
Oops!
# apt-get update # apt-get install bash
A second test shows:
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test # <h2>Synology Busybox</h2> Synology Busybox uses ASH not BASH but testing can still be done # env x='() { :;}; echo vulnerable' ash -c "echo this is a test"
Gave an all clear message on my recently updated Synology unit.