update – September 25 4:00PM EDT (20:00 UTC): Apparently the extent of the flaw in bash was not contained in just the original security report CVE-2014-6271 and initial update. There is a similar security concern documented in CVE-2014-7169 which Red Hat says is a less severe issue. We are monitoring the situation and will likely issue another update to our managed hosting servers shortly to address this second issue.
An important vulnerability was announced yesterday regarding the bash shell, which is the default shell environment in many popular Linux distributions. Details of this vulnerability are available in CVE-2014-6271 published by the National Vulnerability Database. The vulnerability is considered to be of critical importance, as it can allow remote arbitrary code execution in some environments.
For our Managed Hosting customers, please be aware that we patched all affected servers yesterday (September 24, 2014) and no action is required on your part. Since the vulnerability only affects the spawning of new bash shells, a server reboot is not required. Customers with self-managed Linux or BSD environments should see the follow distribution-specific links for information about how to make sure their system is patched:
- CentOS
- Debian
- Ubuntu
- FreeBSD: bash is not included in FreeBSD base system, but the bash port has been updated
To test if your shell is vulnerable, you can run this command:
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
Here is an example when running on a vulnerable system:
$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test
And, example output when running in an updated, non-vulnerable system:
$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
As always, feel free to contact us if you have any specific questions we can help with.