I’m sure most of you are familiar with the Heartbleed vulnerability with OpenSSL and how it has affected most of the applications and systems across the internet. Well a new vulnerability has appeared and is potentially much worse. While this vulnerability is new to the public it has been a “bug” for over 25 years and is just now being exploited on a much larger scale.
Shellshock Video:
Here is a quick video explaining Shellshock: https://www.youtube.com/watch?v=aKShnpOXqn0
Shellshock Test:
In order to test for the Shellshock bash vulnerability you can run this test command from Terminal:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
If you’re not vulnerable, you’ll get this result:
bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' hello
If you are vulnerable to shellshock, you’ll get:
vulnerable hello
You may also need to check the version of bash you’re running by entering:
bash --version
Shellshock Fix:
Many Linux distributions already have patches available, and Apple/Mac users now have patch available which you can download and install it here.
Redhat Shellshock Fix: https://access.redhat.com/articles/1200223
SUSE Shellshock Fix: https://www.suse.com/support/shellshock/
Ubuntu Shellshock Fix: http://www.ubuntu.com/usn/usn-2362-1/
EMC products affected by Shellshock: https://emc–c.na5.visual.force.com/apex/KB_Non_ESA_Security?id=kA4700000008OfN
Cisco products affected by Shellshock: http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140926-bash
VMware products affected by Shellshock: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740
This can potentially be one of the most dangerous vulnerabilities because of how easy it is to exploit. However it is also one of the easiest to fix and patch. Make sure all of your systems are updated with all of the latest security patches and you shouldnt have an issue. If you have any comments or need assistance leave me a comment below and I will address them.
Update: I have been getting asked how to patch windows for the vulnerability, so just to be clear Windows machines and Windows servers do not run Bash.
Leave a Reply