Currently a new bug, named ShellShock, was announced as CVE-2014-6271 in the National Vulnerability Database. It might be even more dangerous than the SSL bug „Heartbleed“ that occured some month ago.
An overview, according to the web site:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
A simple test could give you an idea, if your system is vulnerable, or not:
user@seiler.it:~$ env x='() { :;}; echo vulnerable' bash -c "echo testing..."
vulnerable
testing...
If you see both „vulnerable“ and „testing…“ as a output on your bash shell, it is time for an upgrade.
user@seiler.it:~$ apt-get update user@seiler.it:~$ apt-get upgrade The following packages will be upgraded: ... bash ... Preparing to replace bash 4.2-2ubuntu2.1 (durch .../bash_4.2-2ubuntu2.2_i386.deb) ... Substitute for bash is being unpacked ...
After the installation was successful, you should test another time. If everything went right, the output is as follows.
user@seiler.it:~$ env x='() { :;}; echo vulnerable' bash -c "echo testing..."
bash: Warnung: x: ignoring function definition attempt
bash: Fehler beim Importieren der Funktionsdefinition.
testing...
Leave A Comment