The Shell Shock vulnerability is a serious bug in most versions of Bash dating back to at least 1994. It allows remote attackers to execute arbitrary code because it processes trailing strings after function definitions in the values of environment variables. The official label for Shell Shock is CVE-2014-6271, provided by the National Vulnerability Database (from NIST).Another bug, CVE-2014-7169, was introduced due to an incomplete fix for Shell Shock. Further bugs have been identified: CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, and CVE-2014-7187.
How do I patch my system? Currently, it is recommended to either update to the latest version of Bash available for your operating system, or to apply Florian Weimer's patch. CentOS users can update with:
- CentOS: yum update bash
- Debian/Ubuntu: apt-get update && apt-get install bash
- FreeBSD: portsnap fetch extract; cd /usr/ports/shells/bashmake; deinstall reinstall clean
To further secure your system to less known vulnerabilities please use Florian's patch (from Red Hat Security team):
- curl http://shellshockvuln.com/florian.9-25-14.txt | patch -p0
References:
https://github.com/mubix/shellshocker-pocs/blob/master/README.md
http://www.openwall.com/lists/oss-security/2014/09/25/13
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
