Differences between revisions 10 and 11
Revision 10 as of 2014-09-27 20:32:52
Size: 3333
Editor: WillDye
Comment: Add another link
Revision 11 as of 2014-09-29 18:44:55
Size: 4570
Editor: geirha
Comment: Code block to test for vulnerable bash binaries
Deletions are marked like this. Additions are marked like this.
Line 16: Line 16:

=== Are my bash binaries fixed? ===

Your OS should have patched bash by now, but maybe you have multiple binaries installed (some by the OS, some by other means) and want to check that all of them are safe. You can copy/paste the following snippet into a terminal emulator running bash or some other posix compliant shell.

Replace `/bin/bash` and `/usr/local/bin/bash` with the paths to the bash binaries you have installed/want to test in the for-loop below.

{{{
for s in /bin/bash /usr/local/bin/bash ; do
  VAR='() { :;};x=FAIL' "$s" -c 'printf "%-20s CVE-2014-6271 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
  VAR='() {}>\' "$s" -c '/dev/null x=FAIL;printf "%-20s CVE-2014-7169 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
done 2>/dev/null
}}}

The output will look something like this:
{{{
3.2.48(1)-release CVE-2014-6271 FAIL (/bin/bash)
3.2.48(1)-release CVE-2014-7169 FAIL (/bin/bash)
4.3.27(1)-release CVE-2014-6271 OK (/usr/local/bin/bash)
4.3.27(1)-release CVE-2014-7169 OK (/usr/local/bin/bash)
}}}

This shows that `/usr/local/bin/bash` is at version 4.3.27 and patched for both of the issues, while `/bin/bash` is at version 3.2.48 and fails both (meaning it is vulnerable).

What is the Shellshock vulnerability in Bash?

As of this writing (September 27th, 2014), the situation with Shellshock is changing so rapidly that you're probably better off using your preferred search engine instead of this FAQ. For example, you could search a news site for recent items which contain the word "Shellshock".

A quick summary is this:

  • The most recent updates should now fix all known Shellshock-related vulnerabilities.
  • Many systems were never vulnerable to a remote attack, but it's safer to patch all systems anyway.
  • Other potential problems were identified during the investigation, but are considered separate from the Shellshock bug.

Are my bash binaries fixed?

Your OS should have patched bash by now, but maybe you have multiple binaries installed (some by the OS, some by other means) and want to check that all of them are safe. You can copy/paste the following snippet into a terminal emulator running bash or some other posix compliant shell.

Replace /bin/bash and /usr/local/bin/bash with the paths to the bash binaries you have installed/want to test in the for-loop below. 

for s in /bin/bash /usr/local/bin/bash ; do
  VAR='() { :;};x=FAIL' "$s" -c 'printf "%-20s CVE-2014-6271 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
  VAR='() {}>\' "$s" -c '/dev/null x=FAIL;printf "%-20s CVE-2014-7169 %-4s (%s)\n" "$BASH_VERSION" "${x-OK}" "$0"'
done 2>/dev/null

The output will look something like this: 

3.2.48(1)-release    CVE-2014-6271 FAIL (/bin/bash)
3.2.48(1)-release    CVE-2014-7169 FAIL (/bin/bash)
4.3.27(1)-release    CVE-2014-6271 OK   (/usr/local/bin/bash)
4.3.27(1)-release    CVE-2014-7169 OK   (/usr/local/bin/bash)

This shows that /usr/local/bin/bash is at version 4.3.27 and patched for both of the issues, while /bin/bash is at version 3.2.48 and fails both (meaning it is vulnerable).

After things stabilize a bit, this FAQ page should be updated with a better summary. For information about specific vulnerabilities related to Shellshock, you may find better results by searching for terms such as "CVE-2014-6271", "CVE-2014-7169", "CVE-2014-7186", or "CVE-2014-7187".

In the meantime, here are a few links that should help you get started:

CategoryShell

BashFAQ/111 (last edited 2014-10-09 20:04:09 by GreyCat)