Bash Attack Check

TL;DR

A Bash attack (specifically, Shellshock) exploited a vulnerability in older versions of the Bash shell. This guide helps you check if your system is vulnerable and how to mitigate it.

Checking for Vulnerability

1. Identify Your Bash Version: The first step is to find out which version of Bash you’re running.

   bash --version

   This command will output something like:

   GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)

2. Vulnerable Versions: Bash versions prior to 4.3.30 are generally considered vulnerable. Versions between 4.3 and 4.3.29 are also susceptible under certain conditions.
3. Run a Vulnerability Test Script: Several scripts can test for the Shellshock vulnerability. Here’s how to use one:
   1. Download the test script (e.g., from GitHub).
   2. Make the script executable:

      chmod +x shellshock.sh

   3. Run the script:

      ./shellshock.sh

   4. The script will report if your system is vulnerable and provide details.
4. Alternative Test with `env` Variable: You can also try a simple test using the env variable:

   env X='() { :; }; echo vulnerable' bash -c 'echo "This is a test"'

   • If your system prints “vulnerable”, you are likely affected.
   • If it just prints “This is a test”, you are probably safe.

Mitigation Steps

1. Update Bash: The most effective solution is to update your Bash version to 4.3.30 or later.
   • Debian/Ubuntu:

     sudo apt-get update

     sudo apt-get upgrade bash

   • CentOS/RHEL/Fedora:

     sudo yum update bash

   • macOS (using Homebrew):

     brew update

     brew upgrade bash

2. Apply Patches: If updating isn’t immediately possible, some distributions provide temporary patches. Check your distribution’s security advisories.
3. Disable Affected Services (Temporary): As a short-term measure, you can disable services that use Bash to execute CGI scripts or other potentially vulnerable code. This is not a long-term solution but can reduce immediate risk.
4. Web Server Configuration: If the vulnerability is exposed through your web server:
   • Apache: Configure Apache to not pass environment variables to CGI scripts.
   • Nginx: Similar configuration options are available in Nginx.

Further Information

For more detailed information, refer to these resources:

• US-CERT Alert
• Wikipedia – Shellshock