Bash vulnerability – urgent action required

Posted by / Sep 25, 2014 / Categories: BHost News, Security, Security Alerts / 4 Comments

There has been a critical vulnerability found in bash. The vulnerability affects Linux/Unix distributions that use or have bash installed. For additional information on this vulnerability please visit the US Government National Vulnerability Database or The Register.

BHost has patched all of its systems, but customers should ensure bash is updated / patched on your virtual machines.

In any case, it is good security practice to regularly check your virtual machines have the latest security updates.

To test if your version of Bash is vulnerable, run the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

 
If the output of the above command looks as follows…

vulnerable
this is a test

 
… then you are using a vulnerable version of bash. You should urgently update / patch bash.

If you run the above example with the patched version of bash, you should get an output verifying you are not vulnerable:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

 

To learn more please visit the following links for your particular distro:

Ubuntu CentOS Debian Fedora

On a separate note, this might be a good time to ensure you are running the latest version of your operating system. We have noticed many customers running Ubuntu 11.10 for example, which is no longer support or getting updates. Don’t delay, upgrade today!

About the author
I'm George and I work in the BHost support team. I'm responsible for replying to customer support requests, as well as writing articles for our help center. If there's anything you'd like us to blog about, let us know by emailing support@BHost.net
4 comments
  • Andrew Constant says:

    Will reinstalling the VM fix this issue?

    Thanks

    • George says:

      No, re-installing is not the solution to this problem. You should update bash using apt-get update bash or yum update bash. Please put in a ticket if you have any difficulties.

  • Ian Justman says:

    If you’re using an older installation of Ubuntu, like Raring Ringtail (13.04) which has been end-of-lifed, you can use a package from a later install, like Saucy Salamander (13.10, which will be EOLed once Utopic Unicorn (14.10) gets released) or Trusty Tahr (14.04(.1), which is the current LTS release) and install it manually. Links for the specific debs are here:

    http://archive.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.3-7ubuntu1.4_i386.deb
    http://archive.ubuntu.com/ubuntu/pool/main/b/bash/bash_4.3-7ubuntu1.4_amd64.deb

    As root, you can use curl or wget to get these, then dpkg -i to install. Unsure about anything older than Raring, however. Likewise, I’m not sure of other distributions.

    In fact, you really should be using the most recent LTS or equivalent thereof wherever possible.

    Hope this helps!

  • Ian Justman says:

    And while I’m on the subject of (un)supported Ubuntu releases, and since you mention 11.10 not being supported, here’s the timeline of what’s (currently/no longer) supported from Ubuntu:

    10.04 (Lucid Lynx): Oldest supported LTS release. Still supported until April 2015.

    [several other short-term releases removed for brevity’s sake]

    11.10 (Oneiric Ocelot): EOLed as of October 2012.

    12.04 (Precise Pangolin): Next-most recent LTS release. Still supported until April 2017.

    12.10 (Quantal Quetzal): EOLed as of October 2013.

    13.04 (Raring Ringtail): EOLed as of April 2014.

    13.10 (Saucy Salamander): Current short-term release. Still supported. Will be EOLed this month when 14.10 (Utopic Unicorn) gets released.

    14.04 (Trusty Tahr): Current LTS release. Still supported until April 2019.

    14.10 (Utopic Unicorn): Next short-term support release. Will receive updates for a year. 13.10 (Saucy Salamander) will be EOLed once this release goes live.

    *Disclaimer: I do not have any association with Ubuntu other than being a satisfied user.