Friday, September 26, 2014

Bash Security Hole

There is a pretty serious bug in bash that you can read about in more detail in this article: In short, you are currently vulnerable and can test it by running this:

env x='() { :;}; echo vulnerable' bash -c "echo you are vulnerable"

If you see:

you are vulnerable

Then you are vulnerable. I tried it on all of my systems including OS X Mavericks and Ubundu!


Jouni Aro said...

jaro-mac:~ jaro$ env x='() { :;}' bash -c "echo you are vulnerable!"
-bash: !": event not found


Our Ubuntu server actually says it's vulnerable according to the above (without '!'), although it was already updated according to

Jouni Aro said...

OK, the current fix does not really fix it; there's a new CVE:

"NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271"

Jouni Aro said...

Also pretty alarming writings about it at

Chris Bensen said...

Yes, this is very disturbing and the fact that there was a fix that doesn't fix it is equally disturbing.

So your Mac doesn't run the script?

Jouni Aro said...

Hmm, the article you provided actually defines the test as

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

and this test passes our fixed system (gives the warning as expected)

Jouni Aro said...

My Mac runs the original script, but not your version - the '!' breaks it

Chris Bensen said...

Fixed, thanks!

Jouni Aro said...

Apple has released a patch for this, and I thought it would have been applied with the latest Mavericks update. But apparently, it was not yet available for me, so I he'd to get it from

Now your test is displaying

you are vulnerable

whereas previously it displayed

you are vulnerable

The second bug apparently hasn't been fixed yet. I did not find any news about it from anywhere.

Chris Bensen said...

Thanks for the update!

Post a Comment