Recently, there have been news going around regarding "CVE-2014-6271" (See USN-2362-1), which is a vulnerability in Bash. How do I know if I am affected by this, how can I fix it, and why should I care?
This is designed as a canonical answer for this vulnerability, due to its scope and severity.
Bash is the default interactive shell in Ubuntu. When you are interfacing with the terminal (either through the terminal emulator, over a tty, or ssh), you are generally typing commands that bash will read, and execute. Even if you do not use the terminal at all, you still have Bash.
On Ubuntu, /bin/sh is not bash (it is dash). Only bash is affected by this vulnerability.
Bash and the OS keep track of a set of environment variables that describe the current logged-on user, where to look for programs on the hard disk, and other such functions. By crafting an environment variable with a specific structure, an attacker might be able to execute code next time Bash starts.
The attacker can set that environment variable multiple ways:
ForceCommand option is an attack vector. Accounts whose shell isn't bash aren't affected.Once they set this variable, the next time bash opens for any reason, your attacker's code will be run. This is especially fearsome with sudo -s, as it spawns bash as the super-user (an administrative user rule that has full control over your computer's data and programs). Even if you only start bash as a standard user, that user's files can be deleted.
It is important to note that even if you do not use bash yourself, many programs will spawn bash by themselves as part of their operation. Even in this case, you are vulnerable. However, Ubuntu's /bin/sh is not bash, so only programs that explicitly invoke bash and not the default scripting shell are affected.
According to Mitre:
vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Use dpkg to check your installed package version:
dpkg -s bash | grep Version
This will look up info on your bash package, and filter the output to only show you the version. The fixed versions are 4.3-7ubuntu1.4, 4.2-2ubuntu2.5, and 4.1-2ubuntu3.4.
For example, I see:
wlan1-loopback% dpkg -s bash | grep Version
Version: 4.3-7ubuntu1.4
and can determine that I am not vulnerable.
The standard update manager will offer you this update. This is a prime example of how security updates are important, no matter what OS you use or how well-maintained it is.
The USN Bulletin states that new versions have been released for Ubuntu 14.04 Trusty Tahr, 12.04 Precise Pangolin, and 10.04 Lucid Lynx. If you are not on one of these LTS versions, but are on a reasonably-recent version, you'll most likely be able to find a patched package.
First, check if you
If you are vulnerable, you should first grab the newest package lists:
sudo apt-get update && sudo apt-get install bash
The first command makes sure that you have the newest package list that includes the fixed version, and the second command installs the newest (fixed) version of bash.
While the bug only appears to come into play when bash is spawned, it's still a good idea to reboot immediately if feasible.
sources.list to point to http://old-releases.ubuntu.com/ubuntu/. Still I don't get any updates for bash. So the fix has probably not been backported yet.
– Michael Härtl
Sep 25 '14 at 12:37
ForceCommand to "By crafting a specific login name or hostname". At the very least you should state that user must be able to authenticate. Your stated conditions might be necessary but is not sufficient.
– Iwan Aucamp
Sep 25 '14 at 14:43
env x='() { :;}; echo vulnerable' bash -c 'echo hello'. Can you explain what exactly this does? If not, I am not going to run it. It's like people shouting one should run rm -r ~ and that sort of stuff.
– don.joey
Sep 25 '14 at 14:56
Stole this off of cft over at Hacker News. If you have trouble with your repos like me(Odroid-XU), then this should work nicely if you want to patch/build from source.
TMPDIR=/tmp/bash-src
mkdir $TMPDIR
cd $TMPDIR
#download bash
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
for i in $(seq -f "%03g" 1 999); do
wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i
if [[ $? -ne "0" ]]; then
MAX=$(expr $i - 1)
break;
fi
done
tar zxf bash-4.3.tar.gz
cd bash-4.3
#apply all patches
for i in $(seq -f "%03g" 1 $MAX);do
echo apply patch bash43-$i
patch -p0 < ../bash43-$i
done
#build and install
./configure && make
sudo make install
cd ../..
rm -r $TMPDIR
Then run:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
And if you get:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Then you're all good!
WARNING: make install will install bash in /usr/local/bin, so /bin/bash is not modified and can be invoked from curl !!
Note: The Security Patch for CVE-2014-7169 has been released as a standard security update. There is no need to add additional ppa's to receive this patch. Only the following is needed.
sudo apt-get update
sudo apt-get upgrade
To ensure you have patched bash correctly, run the following command
dpkg -s bash | grep Version
If you are on 14.04 LTS, you should see an output of:
Version: 4.3-7ubuntu1.4
If you are on 12.04 LTS, your output should be:
Version: 4.2-2ubuntu2.5
If you are on 11.04: use below steps (it worked for me)
cd ~/
mkdir bash
wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
for i in $(seq -f "%03g" 0 25); do wget https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
if it is not downloaded required patche then install ftp package
apt-get install ftp
for i in $(seq -f "%03g" 0 25); do wget https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
./configure && make && make install
apt-get install build-essential
./configure && make && make install
To see if the patch was applied:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
I'm using Natty 11.04, which is EOL (and I have updated /etc/apt/sources.list to use old-releases.ubuntu.com), so I have to build from source. I wanted to build a .deb, so at least the package manage is "aware" the bash version is not the default one. I am not 100% succesful - however, the package is registered as "newer" and the bash binary ends up fixed, so here is what I did:
apt-get source bash
wget https://gist.githubusercontent.com/drj11/e85ca2d7503f28ebfde8/raw/31bd53ed2e47b220d3c728f5440758e0f76769de/gistfile1.c -O bash_CVE-2014-6271.patch
wget https://gist.githubusercontent.com/drj11/239e04c686f0886253fa/raw/046e697da6d4491c3b733b0207811c55ceb9d927/gistfile1.c -O bash_CVE-2014-6271_plus.patch
cd bash-4.2/
Now, in the (sub)directory bash-4.2/, there is: a file bash-4.2.tar.xz, which needs to be unpacked to get to the bash source; and a subdirectory called debian.
I made the following changes to avoid dependencies on texlive: in bash-4.2/debian/control:
Source: bash
...
Build-Depends: autoconf, autotools-dev, patch, bison, libncurses5-dev,
# texinfo, debhelper (>= 5), texi2html, locales, gettext, sharutils, time, xz-ut
ils
debhelper (>= 5), locales, gettext, sharutils, time, xz-utils
# Build-Depends-Indep: texlive-latex-base, ghostscript
Build-Depends-Indep: ghostscript
... and in bash-4.2/debian/rules:
binary-doc: bash-install #bash-doc-build
dh_testdir
dh_testroot
mkdir -p $(d_doc)/usr/share/doc/$(p)
dh_installdocs -p$(p_doc)
ifeq ($(with_gfdl),yes)
#cp -p build-bash/doc/bashref.pdf $(d_doc)/usr/share/doc/$(p)/.
#dh_link -p$(p_doc) \
# /usr/share/doc/$(p)/bashref.pdf /usr/share/doc/$(p_doc)/bashref.pdf
else
rm -f $(d_doc)/usr/share/doc-base/bashref
endif
rm -f $(d_doc)/usr/share/info/dir*
#cp -p build-bash/doc/bash.html build-bash/doc/bash.pdf \
# $(d_doc)/usr/share/doc/$(p)/
#dh_link -p$(p_doc) \
# /usr/share/doc/$(p)/bash.html /usr/share/doc/$(p_doc)/bash.html \
# /usr/share/doc/$(p)/bash.pdf /usr/share/doc/$(p_doc)/bash.pdf
dh_installchangelogs -p$(p_doc) bash/CWRU/changelog
...
To change the version, in this bash-4.2/ directory, do:
bash-4.2$ dch --local patchCVE
... and fill in the notes in the changelog when asked. This will ensure that the .deb (and related metadata) is called (in my case) bash_4.2-0ubuntu3patchCVE1_i386.deb.
Then you can try building with dpkg-buildpackage -us -uc or debuild command. Note - either of these will re-unpack the source from the zip - thus overriding any patches you may have had! Still, run one of these once so the source is unpacked and built (note debuild may still fail in the end due to texlive, but it should unpack and build the source).
Then, apply the patches; note you should use -p1 here, because currently you're in the bash-4.2/ directory:
bash-4.2$ patch -p1 < ../bash_CVE-2014-6271.patch
bash-4.2$ patch -p1 < ../bash_CVE-2014-6271_plus.patch
Then rebuild patched version by running:
bash-4.2$ fakeroot debian/rules build
This would rebuild the executable; to test it:
bash-4.2$ env VAR='() { :;}; echo Bash is vulnerable!' ./build-bash/bash -c "echo Bash Test"
To build the .deb files, run:
bash-4.2$ fakeroot debian/rules binary
This will save the .deb files in the parent directory; to list their contents:
bash-4.2$ dpkg -c ../bash_4.2-0ubuntu3patchCVE1_i386.deb
To install the .deb:
bash-4.2$ sudo dpkg -i ../bash_4.2-0ubuntu3patchCVE1_i386.deb
However, for some reason, this .deb contains an unpatched binary (?!), so I had to additionally do:
bash-4.2$ sudo cp bash-4.2/build-bash/bash /bin/
... and after that, the test started passing correctly for me:
$ env VAR='() { :;}; echo Bash is!' bash -c "echo Bash Test"
bash: warning: VAR: ignoring function definition attempt
bash: error importing function definition for `VAR'
Bash Test
env x='() { :;}; echo vulnerable' bash -c "echo this is a test" outputs "vulnerable this is a test" on my copy of dash. Ubuntu 12.04. – hookenz Sep 25 '14 at 19:50