How to protect yourself against the Shellshock BASH vulnerability

Like many people I was quite shocked to learn about the recent vulnerability in BASH that can leave servers wide open to attack. My SugarCRM system has been running on Ubuntu for the past two years, and has ports wide open to the net. Fortunately I had already disabled CGI access in Apache as bots were trying to exploit vulns, and Sugar wasn’t using CGI anyway, but this bug still scared the crap out of me.

So I read some blogs and checked out my system, sure enough the command below revealed it was vulnerable:

$ env x='() { :;}; echo “vulnerable”‘ bash -c ‘echo “test”‘
vulnerable
test

The fact that the command managed to print the word “vulnerable” is the red flag.

Fortunately, updating BASH in my case was quite painless:

$ sudo apt-get update
[output snipped]
Fetched 3,399 kB in 4s (680 kB/s)
Reading package lists… Done

$ sudo apt-get install bash
Reading package lists… Done
Building dependency tree
Reading state information… Done
Suggested packages:
  bash-doc
The following packages will be upgraded:
  bash
1 upgraded, 0 newly installed, 0 to remove and 344 not upgraded.
Need to get 616 kB of archives.
After this operation, 12.3 kB of additional disk space will be used.
Get:1 http://gb.archive.ubuntu.com/ubuntu/ precise-updates/main bash i386 4.2-2ubuntu2.3 [616 kB]
Fetched 616 kB in 0s (1,222 kB/s)
(Reading database … 254702 files and directories currently installed.)
Preparing to replace bash 4.2-2ubuntu2.1 (using …/bash_4.2-2ubuntu2.3_i386.deb) …
Unpacking replacement bash …
Processing triggers for menu …
Processing triggers for man-db …
Setting up bash (4.2-2ubuntu2.3) …
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode.
Processing triggers for menu …

$ env x='() { :;}; echo “vulnerable”‘ bash -c ‘echo “test”‘

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
test

The word “vulnerable” is no longer printed so it seems that I’m okay now.

Advertisements
This entry was posted in Computers and Internet and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s