What is the CVE-2014-6271 bash vulnerability, and how do I fix it?

Kerjaan

Recently, there have been news going around regarding “CVE-2014-6271” (See USN-2362-1), which is a vulnerability in Bash. How do I know if I am affected by this, how can I fix it, and why should I care?

vulnerable

What is Bash?

Bash is the default interactive shell in Ubuntu. When you are interfacing with the terminal (either through the terminal emulator, over a tty, or ssh), you are generally typing commands that bash will read, and execute. Even if you do not use the terminal at all, you still have Bash.

On Ubuntu, /bin/sh is not bash (it is dash). Only bash is affected by this vulnerability.

How does the exploit affect me?

Bash and the OS keep track of a set of environment variables that describe the current logged-on user, where to look for programs on the hard disk, and other such functions. By crafting an environment variable with a specific structure, an attacker might be able to execute code next time Bash starts.

The attacker can set that environment variable multiple ways:

  • Remotely connect to a service such as SSH with a specific setup such as git over ssh. As Mitre warns, the use of the sshd ForceCommand option is an attack vector. Accounts whose shell isn’t bash aren’t affected.
  • Tricking you into setting the environment variable.
  • Causing another program to set an environment variable to have that crafted value. For example, you might have a webserver and script that needs to set an environment variable with specific user content. Even if that script creates its own, and doesn’t touch other environment variables, it’s enough. A single environment variable with any name and a crafted value is enough for the exploit to succeed.
  • Other ways I have not mentioned here.

Once they set this variable, the next time bash opens for any reason, your attacker’s code will be run. This is especially fearsome with sudo -s, as it spawns bash as the super-user (an administrative user rule that has full control over your computer’s data and programs). Even if you only start bash as a standard user, that user’s files can be deleted.

It is important to note that even if you do not use bash yourself, many programs will spawn bash by themselves as part of their operation. Even in this case, you are vulnerable. However, Ubuntu’s /bin/sh is not bash, so only programs that explicitly invoke bash and not the default scripting shell are affected.

According to Mitre:

vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Am I vulnerable?

Edit for the time being: You are. No complete public fix has been posted yet, for the new CVE (CVE-2014-7169). The instructions I give below are only sufficient to close off part of the vulnerability.

There is an easy check. Open a terminal and paste the following:

It simply sets the environment variable called x to the value ‘() { :;}; echo vulnerable’. It then invokes bash asking it to echo back the word hello. The value of x that is set is a function definition that should do nothing. However, it is crafted to try to run ‘echo vulnerable’ at parsing of environment at bash start-up, which just prints vulnerable to standard out.

If you are not vulnerable, then the following will be shown:

If you are vulnerable, then you will see:

How do I update?

The standard update manager will offer you this update. This is a prime example of how security updates are important, no matter what OS you use or how well-maintained it is.

The USN Bulletin states that new versions have been released for Ubuntu 14.04 Trusty Tahr, 12.04 Precise Pangolin, and 10.04 Lucid Lynx. If you are not on one of these LTS versions, but are on a reasonably-recent version, you’ll most likely be able to find a patched package.

The fixed versions are 4.2+dfsg-0.1+deb7u3 (debian), 4.3-7ubuntu1.1, 4.2-2ubuntu2.2, and 4.1-2ubuntu3.1. You can perform this update using apt-get.

First, check your package version:

This will look up info on your bash package, and filter the output to only show you the version.

For example, I see:

and can determine that I am not vulnerable.

If you are vulnerable, you should first grab the newest package lists:

The first command makes sure that you have the newest package list that includes the fixed version, and the second command installs the newest (fixed) version of bash.

solve

While the bug only appears to come into play when bash is spawned, it’s still a good idea to reboot immediately if feasible.

Leave a Comment