Updating your Dedicated, VPS or VM Linux Server to mitigate the ShellShock vulnerability
Posted by zz-James Moir on 21 June 2016 04:08 PM
|
|||||||||||
What is this Shellshock thing about?Some 20 odd years ago a vulnerability was introduced to a program called bash which is the most commonly-used "shell" used in Linux and MacOSX servers. The Shell is what you are presented with when you connect to a terminal session on your server. It's the command-line interface to the machine. This vulnerability allows for commands to be passed to the shell program from environment variables that can be set before the shell program is run. For further details see http://en.wikipedia.org/wiki/Shellshock_(software_bug)#Background Will this affect me?If any of your internet facing programs use CGI to run commands on the server you will be affected. This does not matter if the bash program is called directly or if it is called via a PHP, Perl or other programming script. To be clear, if your webserver uses CGI it is most likely affected. If it does not use CGI at all (CGI has been known as a security risk in general for some time) then your webserver is not exploitable by this vulnerabilty. If you allow SSH access into your server (which almost everyone does) then it is possible for the exploit to be used. Note that the user MUST be logged in for this exploit to work so restricting access to specific addresses and enforcing strict password should mitigate the vulnerability. It is conceivable that a DHCP server could be compromised and then used to issue shellshock attacks against your internal computers. Any internal systems can be used to attack any others using Shellshock, but again, these would need to be compromised in some other fashion first to gain access to be able to issue shellshock attacks. How do I tell if my version of Bash is vulnerable?First of all, you need to be aware that only servers running bash are affected by this vulnerability. Log in to your computer via ssh or telnet as per your normal command-line access method. Copy and paste the following line into your terminal session. env x='() { :;}; echo vulnerable' bash -c "echo this is a test" this is a test If you receive the following lines back then your bash version is affected : vulnerable What can I do about it?For webfacing servers, the best approach is to ensure that CGI is not being used. If that is not possible, or for all other servers then "patching" or updating the bash program is required. How to do this varies depending on which version of Linux your computers are running. cat /etc/redhat-release || cat /etc/issue CentosFirst try running :
If this succeeds then remember to run the following command to test that the update actually fixed the problem. UbuntuRun the following command : If this succeeds then remember to run the following command to test that the update actually fixed the problem. Debian Debian 5 (Lenny) is no longer supported by Debian and so you are required to upgrade to a later version Debian 6 (Squeeze)The following command line instructions need to be run : echo "deb http://http.debian.net/debian squeeze-lts main contrib non-free" >> /etc/apt/sources.list apt-get update apt-get install bash If you get an NO_PUBKEY warning error then run the following : apt-get install debian-archive-keyring apt-get update apt-get install bash If this succeeds then remember to run the following command to test that the update actually fixed the problem. env x='() { :;}; echo vulnerable' bash -c "echo this is a test" Debian 7 (Wheezy)apt-get update && apt-get install bash env x='() { :;}; echo vulnerable' bash -c "echo this is a test" Windows using CygwinThe easiest method to update Cygwin is to download a fresh copy of the setup program and use that to update. If you wish to update from within Cygwin via the command line see the FAQ for apt-cyg here : https://code.google.com/p/apt-cyg/ FreeBSDUpdating FreeBSD depends on how you have installed the Bash package. If you are using the more traditional ports system, in our opinion (opinions do vary on this), the best way to update ports is via portsnap
Once the ports have been updated to actually update the ports, the portmaster tool is preferred : Once portmaster is installed, to upgrade bash run the following command :
| |||||||||||
|