Select Page

A vulnerability present in versions of bash that have been used over decades, the potential of an exploit was made public around 24 September 2014.

The essence of the vulnerability, is that it allowed arbitrary code execution, or service disruption, through a variety of vectors including a number of network and internet mechanisms. See CVE-2014-6271. The initial patches released to deal with this bug, exposed another which received its own security identifier, CVE-2014-7169.

Various patches were delivered over the following 3-4 days as the original and other exploits were uncovered in the investigations carried out by developers.

Patches for current and recent versions of the linux flavours found around the University, were released, and the majority of servers are patched to deal with these.

No patch has been released by Apple at this stage (29 October), so we have made packages to update MacOS X 10.7, 8 and 9 to a current patch level (bash 3.2.54). Contact Science IT for details if you would like access to this software.

 

Tests

The following can be copied to a file then run in a bash terminal to test for the vulnerabilities.

#!/bin/bash

echo "Testing for bash vulnerability"
echo "CVE-2014-6271 and CVE-2014-7169"
echo "*******************************"
echo "If you are patched, then you will"
echo "see errors. If not, you will see"
echo "something telling you, that you are"
echo "vulnerable"
echo "The second test creates a file 'echo'"
echo "which, if present on subsequent"
echo "tests, will give a false positive"

#	creating a temporary and writable place
#	to run the test

TEMPDIR=/tmp/bashtest-$(date +%s)
mkdir -p $TEMPDIR
cd $TEMPDIR

echo
echo "running in $TEMPDIR"
echo "*******************************"
echo "testing for CVE-2014-6271"
env x='() { :;}; echo You are vulnerable' bash -c "echo done" 2>/dev/null
echo
echo "*******************************"
echo "testing for CVE-2014-7169"
env X='() { (a)=>' bash -c "echo echo test"; [[ "$(cat echo)" == "test" ]] 2>/dev/null && echo "still vulnerable :("
echo
echo "*******************************"
read -p "Press [Enter] key to close"

exit 0

Ubuntu

12.04 LTS

update the package list

sudo apt-get update

Then, either upgrade everything

sudo apt-get dist-upgrade

OR just update ‘bash’ itself

sudo apt-get install –only-upgrade bash

At 1 October 2014:

$ bash –version
GNU bash, version 4.2.25(1)-release (x86_64-pc-linux-gnu)

$ file /bin/bash
/bin/bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x3f4de4f82d9437f58a74a3d06e87db2fa7ede1bc, stripped

14.04 LTS

update the list of packages

sudo apt-get update

then either upgrade everything

sudo apt-get dist-upgrade

OR, just ‘bash’ itself

sudo apt-get install –only-upgrade bash

At 1 October 2014:

$ bash –version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)

$ file /bin/bash
/bin/bash: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=d516f4f61b317e3d567d6e443553a790461a10e7, stripped

13.10

No patches from normal sources, but copying the patched version from 14.04 works on the machines we have tested.

MacOS X

Apple have released an update for the current versions of Lion, Mountain Lion and Mavericks (10.7.5, 10.8.5 and 10.9.5 respectively). This raises the various bash versions to 3.2.53 and protects against exploits using the mechanisms in the tests above.

DIY

You need a current version of Xcode for the system you are using:

#	starting from the base used for 10.9

mkdir -p /somewhere/newbash
cd /somewhere/newbash
curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
cd bash-92/bash-3.2
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0
curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0

cd ..
xcodebuild

build/Release/bash --version
build/Release/sh --version

# Happy with these?

sudo bash -c "REMEMBER=$(date +%Y%m%d%H%M%S); mv /bin/bash /bin/bash-$REMEMBER && chmod -x /bin/bash-$REMEMBER"
sudo cp build/Release/bash /bin/bash
sudo bash -c "REMEMBER=$(date +%Y%m%d%H%M%S); mv /bin/sh /bin/bash-$REMEMBER && chmod -x /bin/sh-$REMEMBER"
sudo cp build/Release/sh /bin/sh

The starting point (in this case https://opensource.apple.com/tarballs/bash/bash-92.tar.gz) is derived from the version associated with the operating system level you have. You can figure this out by browsing in from the top of the https://opensource.apple.com/ site.

However, while building an interim patch for OS X 10.7.5, I found that you can start with any of the bases, then patch up to the current (using the patches at gnu.org) -what mattered, was the SDKs you had available in Xcode. Bash compiled using Xcode 6.0x in Mavericks, would not run in Lion (probably an x86/x64 issue). Bash compiled using the Mavericks base in Xcode 4.6.3 in Lion, worked in Mountain Lion and Mavericks (this binary had x86 and x64 code).

 

Skip to toolbar