Shellshock — Am I vulnerable and what do I do?

`Shellshock `__ is the
latest Heartbleed level vulnerability to be discovered. It’s a pretty
long running exploit in how bash handles environment variables. It’s a
good thing to fix asap, especially if you’re running any old services
like telnet, ftp or an old version of apache.

Is my server vulnerable?

Run this.

env x='() { :;}; echo vulnerable' bash -c 'echo test'

If you see

vulnerable
test

You should patch immediately.

However if you see.

test

You should be okay.

How to fix?

Centos/RedHat

yum update bash

Debian/Ubuntu

sudo apt-get update && sudo apt-get install bash

OSX

Unless your running OSX as a critical server somewhere remote, I’d hold
off the solution for now and wait for Apple to distribute an update. If
you need to update.

  • Install homebrew
  • Run
brew update

Then run

brew update bash

Backup your existing vulnerable bash

cp /usr/local/bin/bash /usr/local/bin/bash_old

Then symlink to the new brew installed bash

ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /usr/local/bin/bash

Finally reboot!

Keep an eye on these solutions as time goes on as I fear these patches might not solve the whole problem.