Protect Servers Against Shellshock Bash Vulnerability.

On September 24, 2014, a GNU Bash vulnerability (Shellshock or “Bash Bug”), was discovered and published.
The vulnerability allows remote attackers to execute arbitrary code given specific conditions, by injecting strings of code following environment variable assignments.
Because of Bash’s large utilization (Ex: Linux, BSD, OsX), many computers are vulnerable to Shellshock Bash Bug.
All unpatched Bash versions between 1.14 through 4.3 seems to be compromised.

The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables.
Examples of exploitable systems include following examples:

  • HTTP Servers using CGI scripts (Ex: Apache Servers via mod_cgi) written in Bash or launching Bash subshells
  • OpenSSH servers using ForceCommand capability.
  • Some DHCP clients.
  • In general: a lot of network-exposed services using Bash Shell.

For detailed descriptions of bugs, search in NIST National Vulnerability Database.

Shellshock vulnerability is very widespread and particularly easy to exploit, for this reason it is highly recommended to upgrade as soon as possible any affected systems.

Test if machines are vulnerable is not a complex work:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


shellshocker='() { echo You are vulnerable; }' bash -c shellshocker


env X='() { (>\' bash -c "echo date"; cat echo; rm ./echo


env X=' () { }; echo hello' bash -c 'date'


bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
echo "CVE-2014-7186 vulnerable, redir_stack"


(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"

Visit and use their Automatic Scripts should be a good idea.

To update Bash Shell, please refer to Distribution / OS specific documentation, some examples will follow:

Debian / Ubuntu using APT:
Note: updates will be available only in maintained versions, a ‘do-release-upgrade’ will be necessary if the distribution is not anymore supported.

sudo apt-get update && sudo apt-get install --only-upgrade bash

RedHat / Fedora / Centos using YUM:

sudo yum update bash

Comments are closed.