{"id":1116,"date":"2014-09-26T17:11:03","date_gmt":"2014-09-26T07:11:03","guid":{"rendered":"http:\/\/howden.net.au\/thowden\/?p=1116"},"modified":"2014-09-26T17:11:03","modified_gmt":"2014-09-26T07:11:03","slug":"shellshock-bash-vulnerability","status":"publish","type":"post","link":"https:\/\/howden.net.au\/thowden\/2014\/09\/shellshock-bash-vulnerability\/","title":{"rendered":"Shellshock BASH Vulnerability: Debian, CentOS, Synology Busybox"},"content":{"rendered":"

Ok, so Heartbleed did as it said, and Shellshock is about to do the same.<\/p>\n

I manage some CentOS, some Redhat, some Debian, and other servers. From what I have found so far, and assuming that the patches applied to the latest release of BASH are sufficient, then most servers and devices can be patched \/ fixed so that they are not vulnerable quite easily.<\/p>\n

According to most sources, the test for a vulnerable BASH environment is the following line of code:<\/p>\n

[text]
\nenv x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
\n[\/text]<\/p>\n

So I quickly hit one of each server \/ Linux flavour I could think of and these are the results:<\/p>\n

SME Server \/ CentOS based<\/h2>\n

[text]
\n# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
\nvulnerable
\nthis is a test
\n[\/text]<\/p>\n

so I ran<\/p>\n

[text]
\n# yum update
\n[\/text]<\/p>\n

which updates a number of tools including bash-3.2-33.el5.1.i386.rpm which appears to be the correct update version and re-testing after updating the server (includes other updates as well) gives the ‘not vulnerable’ response.<\/p>\n

CPanel on CentOS<\/h2>\n

[text]
\n# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
\nbash: warning: x: ignoring function definition attempt
\nbash: error importing function definition for `x’
\nthis is a test
\n#
\n[\/text]<\/p>\n

which appears to tell me that it is not vulnerable.<\/p>\n

I also had a similar message but without the warning from a second CPanel \/ CentOS server which is configured slightly differently:<\/p>\n

[text]
\n# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
\nthis is a test
\n#
\n[\/text]<\/p>\n

The lack of a warning in the above appears to indicate that it is not vulnerable.<\/p>\n

Debian<\/h2>\n

Some of my Debian servers have not been upgraded from stable Squeeze, which I should be updating to Wheezy. I found different responses depending on which version of Debian existed on the server.<\/p>\n

To check the Debian version use:
\n[text]
\n# cat \/etc\/debian_version
\n# 6.0.6
\n[\/text]<\/p>\n

Checking the Debian version just as a confirmation of what patch release the server is using.<\/p>\n

Debian Squeeze 6.0.6<\/h2>\n

[text]
\n# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
\nvulnerable
\nthis is a test
\n#
\n[\/text]<\/p>\n

Vulnerable, so update BASH<\/p>\n

[text]
\n# apt-get update
\n# apt-get install bash
\n[\/text]<\/p>\n

A second test shows:<\/p>\n

[text]
\n# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
\nbash: warning: x: ignoring function definition attempt
\nbash: error importing function definition for `x’
\nthis is a test
\n#<\/p>\n

<h2>Debian Squeeze 6.0.10<\/h2><\/p>\n

This one is a work in progress……<\/p>\n

<h2>Debian Squeeze 7.4<\/h2><\/p>\n

This version of Debian was straightforward and <\/p>\n

[text]
\n# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
\nvulnerable
\nthis is a test
\n#
\n[\/text]<\/p>\n

Oops!<\/p>\n

[text]
\n# apt-get update
\n# apt-get install bash
\n[\/text]<\/p>\n

A second test shows:<\/p>\n

[text]
\n# env x='() { :;}; echo vulnerable’ bash -c "echo this is a test"
\nthis is a test
\n#<\/p>\n

<h2>Synology Busybox<\/h2><\/p>\n

Synology Busybox uses ASH not BASH but testing can still be done<\/p>\n

[text]
\n# env x='() { :;}; echo vulnerable’ ash -c "echo this is a test"
\n[\/text]<\/p>\n

Gave an all clear message on my recently updated Synology unit.<\/p>\n","protected":false},"excerpt":{"rendered":"

Ok, so Heartbleed did as it said, and Shellshock is about to do the same. I manage some CentOS, some Redhat, some Debian, and other servers. From what I have found so far, and assuming that the patches applied to the latest release of BASH are sufficient, then most servers and devices can be patched […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[40,43,45,46,60,84,85],"class_list":["post-1116","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-bash","tag-centos","tag-cpanel","tag-debian","tag-linux","tag-shell","tag-shellshock"],"_links":{"self":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/posts\/1116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/comments?post=1116"}],"version-history":[{"count":0,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/posts\/1116\/revisions"}],"wp:attachment":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/media?parent=1116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/categories?post=1116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/tags?post=1116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}