I've seen a lot of posts with simply wrong or overly complicated solution. Let this be VERY simple:
Check if you're vulnerable:
env var='() { :;}; echo Vulnerable' bash -c /bin/true
If you are vulnerable, you will see "Vulnerable" as output, otherwise you'll see something like
bash: warning: var: ignoring function definition attempt
bash: error importing function definition for `var'
(Partly taken from commynity.qualys.com )
If you are vulnerable, you have to update bash. Be careful,
NOT IN EVERY BASH VERSION THE BUG IS SOLVED!!!
In this post (AskUbuntu) it is said that there are only few fixed versions: 4.3-7ubuntu1.3, 4.2-2ubuntu2.2, and 4.1-2ubuntu3.1. Well, I tested just 4.2-ubuntu2.2 and it was vulnerable. I found out anyway that version 4.2-2ubuntu2.3 is not vulnerable.
So the solution (you don't need to upgrade everything, and in one case I had to downgrade bash from 4.1-5 for instance):
apt-get update
apt-get install bash=4.2-2ubuntu2.3
Run again the test (always check after applying patches).
With this exact version the bug for me is fixed, and reading around the internet it seems that it should be so. Other bash versions (4.2-2ubuntu2.2 for instance) are safe against our example but vulnerable against variation of the same concept.
Where does it apply?
So far it seems that the bug can be exploited within some shell sessions, in particular condition, but especially through HTTP requests to CGI scripts. Some websites, ok, but mainly (in my experience at least) web interfaces of physical devices (eg. printers, some physical firewall) and some management program (eg. Nagios). So in my opinion it's a big problem and MUST be solved, but the exploitation possibilities are very limited and can cause limited damage.
More Information
- This vulnerability impacts only systems running Bash. If you are using tcsh, ksh or something else, you don't have this problem.
- This vulnerability looks like it's 20 years old (!!!!!!!!)
- On the NIST (National Institute of Standards and Technology) this bug has the maximum priority (CVE-2014-6271)
- When the first fix was released, it was soon evident that it didn't solved the problem; so, the NIST released another vulnerability summary (CVE-2014-7169) to solve the precedent incomplete fix.Labels: bash, linux, ubuntu