Security Issue bash : ShellShock CVE-2014-6271 and CVE-2014-7169 -> PATCHED!
A couple of days ago, 2 severe security threats were revealed which were called ShellShock. The security issue is dealing with the bash package affecting all Red Hat based OS (including CentOS), Debian, Ubuntu and Fedora.
At HostStage, we took the problem very seriously and we deployed updates throughout our whole network. All our servers weree patched immediately and even updated twice as far as a second injection vulnerability was discovered.
Finally, we have also decided, giving the criticity of the situation, to proceed with pactching all our customers servers. cPanel ones being managed was included by default of course but exceptionnally, we have extended it to all OS and we did it manually for the most part.
Shared web hosting accounts were patched during our infrastructure update.
We have updated all linux VPS and dedicated servers. The owners of the ones we weren’t able to update dued to password issue or because of the inconvenience the update could have cuased, should have received an email including the details to perform the bash update process.
Windows VPS weren’t impacted by Shellshock.
If you have others servers which aren’t hosted by HostStage, you can test whether it is vulnerable with the commands below :
TEST OF 2014-6271:
env var='() { ignore this;}; echo vulnerable’ bash -c /bin/true
If the result of this command returns “vulnerable”, it means that your server needs to be patched and you can scroll down below to find how to fix the vulnerability.
TEST OF CVE-2014-7169:
cd /tmp; rm -f /tmp/echo; env ‘x=() { (a)=>’ bash -c “echo date”; cat /tmp/echo
If the result of this command returns the output below, you would need to apply the steps below :
bash: x: line 1: syntax error near unexpected token `=’
bash: x: line 1: `’
bash: error importing function definition for `x’
Fri Sep 26 11:49:58 GMT 2014
And you should be able see a file named echo in /tmp (cat /tmp/echo)
If it results the following, it means that your server is patched and up to date :
cat: /tmp/echo: No such file or directory
You can find below the different steps to update the bash package according to your different linux distributions :
CentOS:
yum clean all && yum update bash -y
Ubuntu 11.10:
sudo sed -i ‘s/oneiric/trusty/g’ /etc/apt/sources.list && sudo apt-get update && sudo apt-get install bash -y
Ubuntu 12.10:
sudo sed -i ‘s/quantal/trusty/g’ /etc/apt/sources.list && sudo apt-get update && sudo apt-get install bash -y
Ubuntu 13.10:
sudo sed -i ‘s/saucy/trusty/g’ /etc/apt/sources.list && sudo apt-get update && sudo apt-get install bash -y
Other Ubuntu Version:
1) You need to get the grab the Codename of your Ubuntu distribution by typing the following command :
lsb_release-a
Which should give you the output below :
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu X.X
Release: X.X
Codename: <codename>
2) Then you would need to type the command below without the < and >
sudo sed -i ‘s/<codename>/trusty/g’ /etc/apt/sources.list && sudo apt-get update && sudo apt-get install bash -y
Debian 6 Squeezy:
echo ‘deb http://ftp.us.debian.org/debian squeeze-lts main non-free contrib’ > /etc/apt/sources.list
apt-get update
apt-get install bash
Debian 7 Wheezy
echo ‘deb http://security.debian.org/ wheezy/updates main contrib non-free ‘ > /etc/apt/sources.list
apt-get update
apt-get install bash