Shell shock: what you need to do NOW about the bash remote exploit vulnerability


#1

Late last night, a serious vulnerability that affects the vast majority of servers running Linux was made public.

The flaw is in bash, “one of the most installed utilities on any Linux system” because it’s the default shell for most Unix variants. A shell is a command interpreter that lets you execute commands on Unix/Linux systems, usually by connecting to it over SSH.

If this already doesn’t make sense to you, and you’re worried about whether your Linux server is impacted, contact us now: support@support.bytemark.co.uk.

What is the vulnerability and how serious is it?

This vulnerability is extremely serious. Essentially, it allows a remote attacker to execute arbitrary code by crafting a specific request to the Apache HTTP server, amongst other examples.

This means, an attacker can do pretty much whatever they want on your server simply by trying to access a website you’re hosting on it in a particular way.

To quote from Troy Hunt’s blog post: What damage could an attacker do when they can execute a shell command of their choosing on any vulnerable machine?

OK, am I affected?

  • If you’re running a Linux server, the answer is almost certainly yes.
  • If you’re running a Windows server, then probably not, unless you’ve installed tools that include bash for Windows, such as git for Windows. Uninstalling these may be the best option for now.

To test whether your server is affected:

Login via ssh to your server and run the following test using sudo if required (thanks to @bewitchedweb):

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
this is a test

If your system is unaffected (or to test your patched system), the output should be:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

How to patch your servers:

As far as we are aware, the following advice should patch your systems. That said, this is a developing situation so we may need to issue have issued further instructions.

UPDATE: The latest patch is considered incomplete but you should still update your server as far as possible. We’ll issue further instructions as new patches are developed.

In each case you shouldn’t need to reboot or restart services, unless the update resulted in other patches also being installed.

Managed customers

If you’re a Bytemark managed hosting customer, our sysadmins are already patching this for you.

They won’t be contacting you individually unless they absolutely need to, because of the sheer numbers that we’re getting through. However, you can use the test above to check if you’ve been patched yet, or raise a ticket in the usual way.

Self-managed customers

If you’re running Symbiosis (squeeze):

Your system will be updated automatically within 24 hours. If you want to update sooner, follow the instructions below, except for editing sources.list.

If you’re running plain Debian 6.0 (squeeze):

Start using the Debian LTS (Long Term Support) repository if you’re not already. This will give you access to the patch:

Add the following to /etc/apt/sources.list

deb http://mirror.bytemark.co.uk/debian/ squeeze-lts main contrib non-free
deb-src http://mirror.bytemark.co.uk/debian/ squeeze-lts main contrib non-free

Then run:

$ apt-get update
$ apt-get upgrade

Remember, this updates everything, so if you rely on a specific version of some software and you only want to update bash, use this command instead of apt-get upgrade:

$ apt-get install --only-upgrade bash

NB Symbiosis users will have to use sudo when logged in as admin. Here’s how to login to Symbiosis via SSH.

Finally, use the test above to check if you’ve been successful. It should show as patched.

If you’re running Debian 7.0 (wheezy), Ubuntu 12.04/14.04 LTS, these can be patched simply by running:

# sudo apt-get update
# sudo apt-get upgrade

For CentOS 6.5 servers:

A patch has just been released and is mirroring now. You should be able to update in the usual way, e.g.:

# su -c 'yum update'

More reading:

Thanks for your patience whilst we dealt with the impact of this vulnerability on our critical internal systems. Please feel free to ask any questions below or for a support response, contact us: support@support.bytemark.co.uk.

A special thanks also to @skemp who was the first person to alert us!


Remote Exploit Vulnerability Found In Bash
#2

How about those of us running Symbiosis (Wheezy) RC3? Will the above mentioned patch be rolled out ?

**edit - It Seems that the RC3 install, at least mine, is not affected.


#3

Heads up, I just did an apt-get update, and it looks like there’s another newer bash update, so it’s worth updating again if you haven’t already.


#4

Yes, there is a second patch for the same issue.

It’s not obvious that this is going to be enough either. This bug suggests some security measures that most applications should now take to avoid this risk (i.e. sanitising the web server environment before using shell commands, or just avoiding them altogether). So over the coming weeks I’d expect to see patches to free software applications to ensure they can’t be vulnerable to this sort of bug again.

If you have your own applications that use shell commands, you’d be advised to read up on the bug to ensure you know how to avoid leaving yourself vulnerable. We’d be happy to advise if you contact support.


#5

Essentially, it allows a remote attacker to execute arbitrary code by crafting a specific request to the Apache HTTP server

This seems to be suggesting a machine with bash and Apache installed is vulnerable. AIUI, it isn’t. What’s required, when a HTTP request is the method of attack, is that Apache ends up running bash to deal with the request, either directly or indirectly. If all requests are handled purely by Python or PHP then there’s no problem. If either of them kick off commands, e.g. using system(3), without sanitising the environment then that will use /bin/sh which, on some systems, might be bash in disguise. (Debian/Ubuntu have dash providing /bin/sh.)


#6

There’s also the question of the mystery Xen bug that’s made Amazon reboot all of their servers - are we at risk of the same issue? Do you guys have the patch? (I fully understand the lack of discussion!)


#7

For Debian/Ubuntu users, you can check if your version of bash has been updated, by running

dpkg -l bash

which will produce output like

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
ii  bash           4.1-3+deb6u2   The GNU Bourne Again SHell

For Debian, the fully patched versions of bash are as follows:

  • squeeze (LTS only) 4.1-3+deb6u2
  • wheezy 4.2+dfsg-0.1+deb7u3

For Ubuntu:

  • lucid 4.1-2ubuntu3.2
  • precise 4.2-2ubuntu2.3
  • trusty 4.3-7ubuntu1.3

Symbiosis

Just to confim for those running Symbiosis squeeze they will not get the update until Monday. If you wish to speed the process up, you can can run:

apt-get update
apt-get upgrade

If bash isn’t upgraded after the first run (you can check using dpkg), you’ll need to run it once more.

Symbiosis updates only run Monday to Friday, and this morning’s update will add the squeeze-lts repo to the updater (something which I patched back in June but never pushed :(), and the next run of the updater (on Monday) will pull in the new version of bash, as well as a number of other things.

Update: Debian Lenny

If your machine is running Debian 5 (codename lenny) we’ve produced packages that you can use to update your system.


#8

Managed to patch all our servers on Friday night, but referring to https://shellshocker.net/ I’m not clear where Debian stands with fixes with subsequent related vulns (CVE-2014-6271, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277…)

Has anyone got any further update on this. I’d like to know our systems aren’t vulnerable, but having a hard time deciphering the latest round of discussion / updates on this, so any pointers would be appreciated.


#9

Debian have a handy security tracker website so you can keep up to date.

In short, Debian and Ubuntu are both up-to-date.


#10

Thanks Patrick!