Knowledgebase
Updating your Dedicated, VPS or VM Linux Server to mitigate the ShellShock vulnerability
Posted by James Moir on 21 June 2016 04:08 PM

What is this Shellshock thing about?

Some 20 odd years ago a vulnerability was introduced to a program called bash which is the most commonly-used "shell" used in Linux and MacOSX servers. The Shell is what you are presented with when you connect to a terminal session on your server. It's the command-line interface to the machine.

This vulnerability allows for commands to be passed to the shell program from environment variables that can be set before the shell program is run. For further details see http://en.wikipedia.org/wiki/Shellshock_(software_bug)#Background

Will this affect me?

If any of your internet facing programs use CGI to run commands on the server you will be affected. This does not matter if the bash program is called directly or if it is called via a PHP, Perl or other programming script. To be clear, if your webserver uses CGI it is most likely affected. If it does not use CGI at all (CGI has been known as a security risk in general for some time) then your webserver is not exploitable by this vulnerabilty.

If you allow SSH access into your server (which almost everyone does) then it is possible for the exploit to be used. Note that the user MUST be logged in for this exploit to work so restricting access to specific addresses and enforcing strict password should mitigate the vulnerability.

It is conceivable that a DHCP server could be compromised and then used to issue shellshock attacks against your internal computers.

Any internal systems can be used to attack any others using Shellshock, but again, these would need to be compromised in some other fashion first to gain access to be able to issue shellshock attacks.

How do I tell if my version of Bash is vulnerable?

First of all, you need to be aware that only servers running bash are affected by this vulnerability.
As such, operating systems like FreeBSD which utilise the original shell program are not affected by default but would be affected if you had subsequently installed bash on these.

Log in to your computer via ssh or  telnet as per your normal command-line access method.

Copy and paste the following line into your terminal session.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you receive the following line then your bash version is not affected :

this is a test

If you receive the following lines back then your bash version is affected :

vulnerable
this is a  test

What can I do about it?

For webfacing servers, the best approach is to ensure that CGI is not being used. If that is not possible, or for all other servers then "patching" or updating the bash program is required.

How to do this varies depending on which version of Linux your computers are running.

To find out if you are using a 32 bit or 64 bit version of Linux run the following command in your command-line session:
uname -m

A "x86" response means you are running a 32bit kernel and an "x86_64" means you are running a 64 bit kernel version.
To find out what version of Linux OS you are running is only a little more involved.
You will need to run the following command :

cat /etc/redhat-release || cat /etc/issue


The output of this command will display what version of Linux you are running and the version number. You can then click on the links below to be taken to the appropriate section.

Centos

First try running :

yum -y update bash

If this succeeds then remember to run the following command to test that the update actually fixed the problem.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If that fails then yum is not installed and you will need to run the commands below.

CentOS Version Command
CentOS 5 32bit
rpm -Uvh http://mirror.centos.org/centos/5/updates/i386/RPMS/bash-3.2-33.el5_10.4.i386.rpm
CentOS 5 64bit
rpm -Uvh http://mirror.centos.org/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5_10.4.x86_64.rpm
CentOS 6 32bit
rpm -Uvh http://mirror.centos.org/centos/6/updates/i386/Packages/bash-4.1.2-15.el6_5.2.i686.rpm
CentOS 6 64bit

rpm -Uvh http://mirror.centos.org/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm

If this succeeds then remember to run the following command to test that the update actually fixed the problem.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Ubuntu

Run the following command :

apt-get update && apt-get install bash

If this succeeds then remember to run the following command to test that the update actually fixed the problem.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Debian

Debian 5 (Lenny) is no longer supported by Debian and so you are required to upgrade to a later version

Debian 6 (Squeeze)

The following command line instructions need to be run :

echo "deb http://http.debian.net/debian squeeze-lts main contrib non-free" >> /etc/apt/sources.list
apt-get update
apt-get install bash

If you get an NO_PUBKEY warning error then run the following :

apt-get install debian-archive-keyring
apt-get update
apt-get install bash

If this succeeds then remember to run the following command to test that the update actually fixed the problem.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Debian 7 (Wheezy)

apt-get update && apt-get install bash

If this succeeds then remember to run the following command to test that the update actually fixed the problem.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Windows using Cygwin

The easiest method to update Cygwin is to download a fresh copy of the setup program and use that to update.
If you wish to update from within Cygwin via the command line see the FAQ for apt-cyg here : https://code.google.com/p/apt-cyg/

FreeBSD

Updating FreeBSD depends on how you have installed the Bash package.

If you have installed the "pkg" program and are using binary packages then running
pkg upgrade bash
may be all you need to do.

If you are using the more traditional ports system, in our opinion (opinions do vary on this), the best way to update ports is via portsnap

  1. To download a compressed snapshot of the Ports Collection into /var/db/portsnap:
    #
    portsnap fetch

  2. When running Portsnap for the first time, extract the snapshot into /usr/ports:
    #
    portsnap extract

  3. After the first use of Portsnap has been completed as shown above, /usr/ports can be updated as needed by running:
    #
    portsnap fetch
    #
    portsnap update

Once the ports have been updated to actually update the ports, the portmaster tool is preferred :

If you have not installed this already you can do so via :
#
cd /usr/ports/ports-mgmt/portmaster
#
make install clean

Once portmaster is installed, to upgrade bash run the following command :
#
portmaster shells/bash

Apple OS-X


Your Macbooks are unlikely to be affected if other shellshock attack methods have been resolved via any of the steps above.
Apple are working on a fix for their software so the instructions below should only be attempted if you have an OsX server that is internet facing and you have good backups. This information comes from an internet forum (http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an) and while the steps are bona-fide, they should not be undertaken lightly.

From an OsX command line run the following via copy-and-pasting the code block below, going into Terminal and then running pbpaste | cut -c 2- | sh

$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
$ # See note above about ADD_IMPORT_FUNCTIONS_PATCH
$ [ "$ADD_IMPORT_FUNCTIONS_PATCH" == "YES" ] && curl http://alblue.bandlem.com/import_functions.patch | patch -p0
$ [ "$ADD_IMPORT_FUNCTIONS_PATCH" == "YES" ] || curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
$ cd ..
$ xcodebuild
$ build/Release/bash --version # GNU bash, version 3.2.54(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.54(1)-release
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin


After this, the Bash version should be v3.2.54:

$ bash --version
GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.


For security, and after testing, it is recommended that you chmod -x the old versions to ensure they aren't re-used, or move them to a backup site.
$ sudo chmod a
-x /bin/bash.old /bin/sh.old