CVE-2014-6271: Vulnerability in Bash allows remote execution of arbitrary code

Patch instructions for CVE-2014-6271 and CVE-2014-7169 are at the end of this post.

UPDATE 1: Patching Bash may not be the end of this. There’s still discussion regarding if the changes completely fixed or not.

UPDATE 2: Another patch being tested.

UPDATE 3: From Red Hat “Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Red Hat is working on patches in conjunction with the upstream developers as a critical priority” – See page. Awaiting update on new patch.

UPDATE 4: Red Hat has expanded on just how bad this Bash vulnerability really is. Apparently it also affects ssh, Apache (httpd), dhclient, cups, sudo, Firefox, postfix, etc.

UPDATE 5 (Sept 25th @ 6AM PST): Red Hat advises to upgrade to the version of bash which contains the fix for CVE-2014-6271 (instructions below) and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on.

UPDATE 6 (Sept 25th @ 8:45AM PST): Red Hat seems to be having issues with their servers. Probably due to traffic overload. Avoid hitting refresh on their pages as that only compounds the issue. I’ve been checking pages once per hour.

UPDATE 7 (Sept 25th @ 9:50AM PST): Akamai has developed their own emergency patch for today’s vulnerability which makes function forwarding conditional on the compile-time switch “FUNCTION_EXPORT”. Patch shared here:

Update 8: Use the instructions below to patch. (update bash / system)

This morning a flaw was found in Bash with the way it evaluated certain environment variables. Basically an attacker could use this flaw to override or bypass environment restrictions to execute shell commands. As a result various services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. Details on CVE-2014-6271 from the MITRE CVE dictionary and NIST NVD (page pending creation).

The issue affects ALL products which use Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by applications. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such!

Bash CVE-2014-6271 Vulnerability Test

To test if your version of Bash is vulnerable run the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If that command returns the following:

vulnerable this is a test

…then you are using a vulnerable version of Bash and should patch immediately. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Patching CVE-2014-6271 and CVE-2014-7169 Bash Vulnerability

CentOS/Fedora/Red Hat CVE-2014-6271 patch:

yum update

Ubuntu/Debian CVE-2014-6271 patch:

apt-get update
apt-get upgrade

Arch Linux CVE-2014-6271 patch:

pacman -Syu

Tags: , ,