TR-27 - GNU Bash Critical Vulnerability - CVE-2014-6271 - CVE-2014-7169

Overview

A critical vulnerability has been discovered in GNU Bash by abusing specially crafted environment variables which allows local and remote code execution.

How to test if your bash is vulnerable

In a shell, execute the following, which is testing the system wide GNU Bash binary to test if you are vulnerable to CVE-2014-6271:

env x='() { :;}; echo vulnerable' bash -c "echo test"

To test if you are vulnerable to CVE-2014-7169:

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

If the date is not printed, you are not vulnerable to CVE-2014-7169.

Recommendations

You should apply the GNU Bash updates provided by the software distributors:

If you don’t have a patch for your distribution or if your distribution isn’t providing patches at all. Follow the below procedure to patch your bash from the upstream GNU Bash repository.

Concerning the various GNU Bash patches, the most critical fixes are from 025 to 027 stopping bash parser to be exposed to the untrusted input from the env variables. The later patches are mainly other recently discovered vulnerabilities with a lower impact than the original shellshock vulnerability.

Clone the current git repository of GNU Bash (includes the patch bash43-025, bash43-026 (fixing the Yacc parsing bug), bash43-027, bash43-028 (fixed bug reported by Florian Weimer), bash43-029 (fixed bug reported by Michal Zalewski)) and bash43-30.:

git clone git://git.sv.gnu.org/bash.git
cd bash
./configure
make

Then you can test the bash version

./bash --version

It should reflect version 4.3.30.

Then you should see if the system really is no longer vulnerable. Execute from the GNU Bash build directory:

env x='() { :;}; echo vulnerable' ./bash -c "echo test"

If your tests are successful, you can replace the existing GNU Bash binary. The ‘-f’ option is needed since the file is in use:

sudo cp -f ./bash /bin/bash

Don’t forget that currently running bash sessions need to be restarted, this can be checked with “lsof”.

Disabling the vulnerable bash functionality

Another option described by Andreas Bogk is to disable the whole vulnerable feature from bash. But you’ll need to check if the feature is required by any other software.

References

Contact

If you have any question about this vulnerability, feel free to contact us.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.4 - 10 October 2014 - Bash patch 030 added - TLP:WHITE
  • Version 1.3 - 4 October 2014 - Bash patch 029 added + upstream ok - TLP:WHITE
  • Version 1.2 - 1 October 2014 - Bash patch 028 clarification added - TLP:WHITE
  • Version 1.1 - 29 September 2014 - Updates reflecting changes to GNU Bash upstream - TLP:WHITE
  • Version 1.0 - 24 September 2014 - TLP:WHITE