Monthly Archives: September 2014

Shellshock BASH Vulnerability: Debian, CentOS, Synology Busybox

Ok, so Heartbleed did as it said, and Shellshock is about to do the same.

I manage some CentOS, some Redhat, some Debian, and other servers. From what I have found so far, and assuming that the patches applied to the latest release of BASH are sufficient, then most servers and devices can be patched / fixed so that they are not vulnerable quite easily.

According to most sources, the test for a vulnerable BASH environment is the following line of code:

[text]
env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
[/text]

So I quickly hit one of each server / Linux flavour I could think of and these are the results:

SME Server / CentOS based

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
vulnerable
this is a test
[/text]

so I ran

[text]
# yum update
[/text]

which updates a number of tools including bash-3.2-33.el5.1.i386.rpm which appears to be the correct update version and re-testing after updating the server (includes other updates as well) gives the ‘not vulnerable’ response.

CPanel on CentOS

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
#
[/text]

which appears to tell me that it is not vulnerable.

I also had a similar message but without the warning from a second CPanel / CentOS server which is configured slightly differently:

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
this is a test
#
[/text]

The lack of a warning in the above appears to indicate that it is not vulnerable.

Debian

Some of my Debian servers have not been upgraded from stable Squeeze, which I should be updating to Wheezy. I found different responses depending on which version of Debian existed on the server.

To check the Debian version use:
[text]
# cat /etc/debian_version
# 6.0.6
[/text]

Checking the Debian version just as a confirmation of what patch release the server is using.

Debian Squeeze 6.0.6

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
vulnerable
this is a test
#
[/text]

Vulnerable, so update BASH

[text]
# apt-get update
# apt-get install bash
[/text]

A second test shows:

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
#

<h2>Debian Squeeze 6.0.10</h2>

This one is a work in progress……

<h2>Debian Squeeze 7.4</h2>

This version of Debian was straightforward and

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
vulnerable
this is a test
#
[/text]

Oops!

[text]
# apt-get update
# apt-get install bash
[/text]

A second test shows:

[text]
# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
this is a test
#

<h2>Synology Busybox</h2>

Synology Busybox uses ASH not BASH but testing can still be done

[text]
# env x='() { :;}; echo vulnerable’ ash -c "echo this is a test"
[/text]

Gave an all clear message on my recently updated Synology unit.