25 August 2014

Yesterday, CVE-2014-6271 was made public after its discovery last week by Stephane Chazelas. This is a vulnerability discovered in the widely used “bash” command interpreter in Unix and Linux systems.  A technical description of this vulnerability is described in more detail at http://seclists.org/oss-sec/2014/q3/650.  Redscan customers have received an advisory describing how we have secured them against this possible threat. Essentially in order to exploit the vulnerability an attacker must be able to: (i)  Set the content of environment variables on the target system to chosen values; (ii) Arrange for the application hosting those environment variables to execute the bash shell. The primary vectors are web-based CGI scripts using bash, and remote login applications such as SSH. To test if your systems are vulnerable, you can log on to your Linux or Unix system and type this simple one liner: env x='() { :;}; echo "This system is vulnerable" ' bash -c "echo Test Completed" If the system is vulnerable, the output will be: This system is vulnerable Test Completed A system that has been patched or is not affected, will kick out: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x’ Test Completed You may have other protection on your system that means the system you have tested is not vulnerable but it is advisable to update vulnerable systems as soon as possible. .

back to all posts