Oh no, here we go again
Well, there's plenty of fast paced news and updates about the latest vulnerability to assail the internet (and OpenSource / Linux in particular it would seem) - hot on the heels of the 'Heartbleed' bug we now have a new vulnerability dubbed 'Shellshock', additional good articles from The Register and one from TroyHunt all include a lot of decent background material. Mr. Hunt was top of my search list - am sure there are others out there.
It is a weakness with the well-known 'nix shell called
'Bash' - a shell is one of a number of interpreters that use command line to
interact with the system as well as parse scripts and other things. It has been
around for ages (I remember using it in university) and is the default shell for Linux
and Mac OS X. So it is everywhere and everyone is more or less affected.
The bug allows the processing of additional shell
commands after a function definition - this means that someone can add extra
commands to the end of an existing legitimate one, and there's a chance that it
will get executed. Basically, a command over-run.
What is even more scary and from what everyone has been saying: it
probably has already been exploited and that the security community has just
caught on. Christ, how long?
Let me check to see if MY pants are down
So. I just carried out a ‘before’ and ‘after’ on one of our
Centos boxes:
1.
Fire up a shell (make sure it is Bash)
2.
Enter the follow (no need to SUDO)
env x=’() { :;}; echo vulnerable’ bash –c “echo this is a test”
3.
If you execute the script and you get:
‘vulnerable, this is a test’ – then patch immediately
4.
If you execute the script and you get: ‘this is
a test’ – then the patch worked or you haven’t been vulnerable
So how do I patch for this?
Quite easy actually.
Using yum or apt-get will allow you to easily update Bash and fix the vulnerability.
Yum
sudo yum-update
then
sudo yum update bash
Apt-get
sudo apt-get update
then
sudo apt-get install --only-upgrade bash