SECURITY WARNING - Remote BASH vulnerability found

Discussion in 'Server Operation' started by till, Sep 24, 2014.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

    A remotely exploitable vulnerability has been found in the BASH Shell. BASH is isntalled on almost all servers, so it is highly recommended that you update your servers as soon as possible. Bash updates are provided by the Linux Distributions.

    Debian and Centos have released updates already. The other Linux Distributions will most likely follow soon.


    TEST your server:

    test="() { echo Hello; }; echo hacked" bash -c ""
    Execute the command above on the shell, if it returns the word "hacked", then your shell is vulnerable.
    Last edited: Sep 24, 2014
  2. edge

    edge Active Member Moderator

    So how do you easily update bash?
    apt-get update / apt-get upgrade do not give me any updates for my Debian OS.

    edit. I guess it's because I'm still on Debian 6.0.10 (squeeze)
    Last edited: Sep 24, 2014
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Which Debian version do you use? I have updates for wheezy here with apt-get update / apt-get upgrade.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. arraken

    arraken Member HowtoForge Supporter

    On Ubuntu, a very easy and quick fix is the following:

    apt-get update
    apt-get install --only-upgrade bash
    Of course a
    apt-get dist-upgrade
    works too, but if you want to be extra quick and don't want to upgrade any other packages because of possible unwanted side-effects, the above way is an option.

    Tested it on my ubuntu 12.04 servers and Debian Wheezy.
    Last edited: Sep 24, 2014
  6. MaddinXx

    MaddinXx Member HowtoForge Supporter

    Thanks for the information :)

    It should be noted that Jailkit jails might need to be updated as well (if no hardlinks were used).

    A quick'n'dirty (ready to be pasted) solution could be:

    for bash in `find /var/www/clients/ -type f -name "bash" -uid 0`; do
        jail=`dirname $bash`
        jail=`dirname $jail`
        jk_update -d --jail $jail /bin/
    Not pretty, but works :)
  7. ACDII

    ACDII Member

    I have a pair of Fedora 15? I think running ISPConfig 3 that I need to update. I am running the latest version that supported ISPConfig3, and it runs my DNS. Yum and Apt dont show any updates, so whats next?

    We also have a RH3 dinosaur out there that is in desperate need of patching.

    All the servers are behind firewalls, with restricted shell access to them, anything I can do on the firewalls to help block attempts?
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    You should disable mod_cgi in apache if you dont run cgi scripts.

Share This Page