The Shellshock vulnerability and evidence of its use has now been widely reported in tech media.  Like the Heartbleed exploit I wrote about back in April, the sheer breadth of the vulnerability is staggering.  All of the mainstream Linux distributions contain the vulnerability, which means a large percentage of servers in the web hosting world contain the exploit.

What does the vulnerability look like in the real world?  Here’s a simple test script:

[root@zerbe admin]# export badvar='() { :;}; echo vulnerable'
[root@zerbe admin]#  bash -c "echo I am an innocent sub process in '$BASH_VERSION'"
vulnerable
I am an innocent sub process in 4.1.2(1)-release

The vulnerability allows the code following the definition of a function to be executed. This provides a vector for all kinds of malicious behavior, including exposing information on the affected server, sending spam, or using the server to attack other servers.

Fortunately, the Linux distributions have moved quickly to fix the vulnerability and make patches available.  CentOS has an updated version of bash, which can be updated with yum.  After logging in as root on your server, execute the following command:

yum update bash

After the patch, the same example code we used above produces an error when trying to define the function, which stops the trailing code from executing:

[root@zerbe admin]# export badvar='() { :;}; echo vulnerable'
[root@zerbe admin]#  bash -c "echo I am an innocent sub process in '$BASH_VERSION'"
bash: warning: badvar: ignoring function definition attempt
bash: error importing function definition for `badvar'
I am an innocent sub process in 4.1.2(1)-release

If you’re running any type of Linux distribution that is Internet accessible, patch this vulnerability as soon as possible.