Friday, September 26, 2014

Bash Security Hole

There is a pretty serious bug in bash that you can read about in more detail in this article: http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it. In short, you are currently vulnerable and can test it by running this:

env x='() { :;}; echo vulnerable' bash -c "echo you are vulnerable"

If you see:

you are vulnerable

Then you are vulnerable. I tried it on all of my systems including OS X Mavericks and Ubundu!

9 comments:

Jouni Aro said...

jaro-mac:~ jaro$ env x='() { :;}' bash -c "echo you are vulnerable!"
-bash: !": event not found

;)

Our Ubuntu server actually says it's vulnerable according to the above (without '!'), although it was already updated according to http://www.ubuntu.com/usn/usn-2362-1/

Jouni Aro said...

OK, the current fix does not really fix it; there's a new CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

"NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271"

Jouni Aro said...

Also pretty alarming writings about it at
http://arstechnica.com/security/2014/09/concern-over-bash-vulnerability-grows-as-exploit-reported-in-the-wild/

Chris Bensen said...

Yes, this is very disturbing and the fact that there was a fix that doesn't fix it is equally disturbing.

So your Mac doesn't run the script?

Jouni Aro said...

Hmm, the article you provided actually defines the test as

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

and this test passes our fixed system (gives the warning as expected)

Jouni Aro said...

My Mac runs the original script, but not your version - the '!' breaks it

Chris Bensen said...

Fixed, thanks!

Jouni Aro said...

Apple has released a patch for this, and I thought it would have been applied with the latest Mavericks update. But apparently, it was not yet available for me, so I he'd to get it from
http://support.apple.com/kb/DL1769

Now your test is displaying

you are vulnerable

whereas previously it displayed

vulnerable
you are vulnerable

The second bug apparently hasn't been fixed yet. I did not find any news about it from anywhere.

Chris Bensen said...

Thanks for the update!

Post a Comment