Critical Alert: Bash Bug (also now known as Shellshock)
Reference: Red Hat Breaking Update on Bash Bug
This advisory is provided as a courtesy.
Update on 9 October 2014: Latest update with regards to bash bug / shellshock vulnerability - a critical security bug affecting GNU Bash commonly used in Linux-based operating systems:
A gentle reminder for our customers to always patch their Linux-based servelets with the latest patches, to ensure that your servelets are not vulnerability to the shellshock / bash bug. This advisory also applies to newly provisioned servelets, until we complete updating all our Linux-based OS templates, which is expected to be completed by mid-November 2014.
To install the latest patches for Ubuntu and Debian:
sudo apt-get update && sudo apt-get upgrade -y
To install the latest patches for CentOS:
yum update -y
Update on 29 September 2014: Here a a list of commands for you to check if your servelet is still vulnerable to the subsequent vulnerabilities which were discovered, courtesy of shellshocker.net:
(1)
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see "vulnerable", meaning your servelet is still vulnerable.
(2)
env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo ; rm -f echo
If you see current date (e.g. Mon Sep 29 17:05:45 SGT 2014), meaning your servelet is still vulnerable.
(3)
env -i X=' () { }; echo hello' bash -c 'date'
This is the other way around, if you see "hello" meaning your servelet is vulnerable. If you see current date, then it's OK.
(4)
bash -c 'true <echo "CVE-2014-7186 vulnerable, redir_stack"
If you see "CVE-2014-7186 vulnerable", meaning your servelet is vulnerable.
(5)
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"
If you see "CVE-2014-7187 vulnerable", your servelet is still vulnerable.
Update on 28 September 2014: The earlier patches for bash released did not completely resolve the vulnerability. Several new version of bash packages has been released in the past couple of days, addressing one vulnerability after another. If you patch your servelet/server before 28 September 2014, your servelet might still be vulnerable. You are advised to patch bash regularly. Below is the instruction on how to patch just the bash package, no reboot is required.
- In Ubuntu:
apt-get update
apt-get install bash
- In CentOS:
yum update bash
The above command will check if your servelet has the latest version of bash, and if it's not, it will install the latest version of bash automatically. There's no need to reboot for the above command. You are advised to perform this regularly in the next couple of days until all the vulnerabilities are confirmed closed.
====
We would like to bring to your attention a newly discovered security bug affecting GNU Bash, or bourne-again shell, which is the default and the most commonly used shell in Linux operating systems such as Ubuntu, CentOS, Debian and others. All Linux system customers are affected. You are strongly advised to apply the relevant fixes to any affected systems immediately.
The security bug was discovered by Stephane Chazelas and has been assigned bug-ID: CVE-2014-6271. The vulnerability arises from the fact that environment variables with specifically-crafted values can be created before the Bash shell is being called. This allows an attacker to use this to bypass environment restrictions and set and manipulate the environment variables to gain unauthorised access to the server, such as via SSH or via HTTP requests to CGI scripts.
Impact
If this vulnerability is not addressed, Linux servelets/servers will be at risk of being hacked and attackers will be able to use the vulnerability to gain unauthorised access to your system.
Check if Affected
To check whether your Linux-based servelets/servers are affected by the new vulnerability, you can login to your servelets or servers using SSH and then issue this command on the shell:
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
If you are seeing this result, meaning your servelet/server *IS* vulnerable:
vulnerable
hello
If you are seeing this result, meaning your servelet/server is *NOT* vulnerable:
- For CentOS, after installing the latest patch:
hello
- For Ubuntu, Debian and any major other Linux distributions:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
To fix this problem and to ensure that your servelets/servers are not affected by this vulnerability, please proceed to install the latest patches for your operating system.
On Ubuntu/Debian systems:
sudo apt-get update
sudo apt-get upgrade
and then reboot the system.
On CentOS systems:
yum update
and then reboot the system.
More information:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it
https://access.redhat.com/security/cve/CVE-2014-6271
http://www.ubuntu.com/usn/usn-2362-1/
https://shellshocker.net/
Request Assistance
If needed, we will perform the patch installation for you at a one-time discounted fee of $25. Please submit your order at Order -> Additional Services -> Select Bash Bug/ Shellshock FIX - $25
Or please first open a support ticket and give us the hostname, ip address and OS template.You can find this information on your servelet's control panel.
For example:Hostname: test-dd
IP Address: 103.25.202.81
OS Template: CentOS 6.5 (64-bit) 20140123a
Thank you.
SimplerCloud Support Team
??
English
Bahasa Indonesia
???
Espanol