Fixing CVE-2014-6271 remote code execution through bash on Ubuntu and CentOS

Fixing CVE-2014-6271

In many common configurations, this vulnerability is exploitable over the network.

Chet Ramey, the GNU bash upstream maintainer, will soon release official upstream patches.

Issue with CVE-2014-6271

http://seclists.org/oss-sec/2014/q3/649

Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name.

Quick responses from distributions

Ubuntu’s statement is available here: http://www.ubuntu.com/usn/usn-2362-1/

CentOS release this: http://lists.centos.org/pipermail/centos-announce/2014-September/020582.html

RedHat released this: https://access.redhat.com/solutions/1207723

Are you vulnerable to CVE-2014-6271?

On your GNU/Linux system, type echo $0. If the output is -bash, you are running bash.

Test if your system is vulnerable. Ensure that your shell is bash. If you aren’t on bash, you can type bash to get to bash-shell.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

You are vulnerable if the output is:
vulnerable
this is a test

Fix CVE-2014-6271 on Ubuntu

Type this

sudo apt-get update && sudo apt-get --only-upgrade install bash

Ubuntu 10.04LTS may use

sudo apt-get update && sudo apt-get install bash

Ensure that the output contains something like this:

The following packages will be upgraded:

bash
1 upgraded, 0 newly installed, 0 to remove…

Test for vulnerability again. If possible, reboot the system.

Fix CVE-2014-6271 on CentOS

On RedHat/CentOS, use this command and rest for vulnerability

sudo yum clean all && yum update bash

Ensure that the output contains something like this:

Updated:
bash.x86_64 0:3.2-33.el5.1 (your version may be different)