title: bash vulnerability test link: https://onemoretech.wordpress.com/2014/09/25/bash-vulnerability-test/ author: phil2nc description: post_id: 8491 created: 2014/09/25 08:12:16 created_gmt: 2014/09/25 12:12:16 comment_status: closed post_name: bash-vulnerability-test status: publish post_type: post

bash vulnerability test

The Fedora project posted a simple test to determine if a system is subject to the bash shell vulnerability CVE-2014-6271 announced yesterday. Another version of the test text can be found in an article by the Red Hat Security team:

[me@mine ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable the work "vulnerable" will be printed on the line before "this is a test" thus:

[me@mine ~]$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a rest

This flaw in bash was originally reported to Red Hat on 14 September. Fixes to their source trees were applied before the public announcement at 10 AM EDT on 24 September. Updates for Red Hat products were released 2 hours later. Per Red Hat a reboot is not required to effect these fixes. There is a second, related, bug CVE-2014-7169 that is currently the subject of a workaround found in Bash Code Injection Vulnerability via Specially Crafted Environment Variables, cited in the above-referenced announcements. That article details how the exploit works and provides Red Hat's analysis of common use cases (for example how a web server might be compromised). I consider it to be essential reading for all system administrators. Beyond updating bash, Red Hat recommends taking additional measures such as deploying mod_security for Apache web servers (configuring mod_security beyond the defaults is not a trivial task, but there's lots of good doc on the module's web site). Some good follow-up today from Jen Ellis of Security Street here, and another from John Leydon of the Register here.

Copyright 2004-2019 Phil Lembo