NextBigWhat brings you curated insights and wisdom on product and growth from the wild web.

Over 2 million people receive our weekly curated insights.

Newsletter

Newsletter

Attention Startups : Bash Vulnerability CVE-2014-6271 Allows Remote Code Execution [Fix]

A vulnerability named CVE-2014-6271 was made public yesterday which was discovered last week. This vulnerability in bash lets an attacker to execute arbitrary code if he is allowed to pass commands to bash. As bash is a common shell for evaluating and executing commands from other programs, this vulnerability may affect many applications that evaluate user input, and call other applications via a shell.

Bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.

The major attack vectors that have been identified in this case are HTTP requests and CGI scripts.

Following are the mitigating steps you can take:

  • Upgrade to a new version of bash
  • Replace bash with an alternate shell
  • Limit access to vulnerable services
  • Filter inputs to vulnerable services

How to check if there is a vulnerable bash package on your server?

# env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

A vulnerable binary will show:

vulnerable

this is a test

After upgrading the package, you should see:

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x’

this is a test

Please follow the distros specific links below to upgrade your bash to versions mentioned ASAP:

  • CentOS
  • # yum upgrade bash
  • Debian
  • # apt-get update && apt-get install –only-upgrade bash
  • Ubuntu
  • # apt-get update && apt-get install –only-upgrade bash

For managed customers we are in process for update the bash package. Please write to support@e2enetworks.com for any queries you may have.

UPDATE from Redhat: Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. Upstrema developers are working on patches as a critical priority. We will keep you updated regarding this. You can keep track on https://security-tracker.debian.org/tracker/CVE-2014-7169

[Guest article by Team E2E. Reproduced from the blog]

Add comment